Blind inquiry
Blinds fact that there is no echo, not intuitively get the results to adjust the injection data can only be obtained if the injection of success by other means, mainly using a number of built-in functions to achieve the database
Boolean blinds
Boolean Obviously Ture with Fales, which means it only returns Ture injected with Fales according to your information
In fact, injected at login is Boolean, universal password is never really construct a query, such as the following
from where the passwd User Test SELECT = '{} injuct'; # configured never really, and even if a condition is true where SELECT User Test from where the passwd = 'aa'or'1' = '. 1 '; # Data are injected aa'or ' . 1' = '. 1
Whether or not the correct password is entered, the query are true.
Boolean blinds fact, the use of this, what do we need to use this
1) When no data is output point, we can not intuitive judgment implementation sql injection,
2) There are two ways to return right or wrong, such as the query correctly returns a page, failure to return another page, but no data
Time blinds
The return value is only one interface, true regardless of the input value returns any case will be handled according to the normal. Adding a specific function of time, by looking at the web page returns the time difference to determine the injected statement is correct .
Use of built-in functions
sleep (n): n program suspend period n seconds IF (exprl, expr2, expr3): If an error judgment statement third statement executed if the first statement is correct the second statement is executed
Injection statement
User Test WHERE from the passwd SELECT = 'aa'and ( IF (ASCII (substr (Database (), 1,1))> 100, SLEEP (10), null )); # injected data aa'and ( IF ( ASCII (substr (Database (), 1,1))> 100, SLEEP (10), null )); - +
What we need to do with this
1) When no data is output point, we can not intuitive judgment implementation sql injection,
2) whether the query results are returned the same data, you can not judge the implementation of the SQL statement
Based on Query error
Given following implantation method
# Error injection Floor (SELECT . 1 from (SELECT COUNT (*), the concat ((payload []), Floor (RAND () * 2)) from information_schema.columns from Group A by A) B) 0,1 limit # error injection extractValue SELECT extractValue ( . 1, the concat (0x5c , ([payload]))) # error injection The updatexml SELECT . 1 = (The updatexml (. 1, the concat (0x3a, ([payload])),. 1))
floor error injection
floot is towns function that returns the largest integer less than or equal to x
The above examples given floor is a floor afferent function rand (returns a random number from 0 to 1).
floor being given the group by using the mechanisms of the main injection, first look at the following principle:
group by key principle is that each row of data read cycle, the result is saved in a temporary table. Reading each line key, if the key is present in the temporary table, the data is not updated in the temporary table in the temporary table; if the key does not exist in the temporary table, the key is inserted into the row of data in the temporary table. Group by Floor (Random (0) 2) error occurs because the key is a random number detection calculation temporary table key whether there is a bit Floor (Random (0) 2) may be 0, if at this time the temporary table only key to line 1 is absent key row 0, then this record database to insert the temporary table, because it is a random number, but also to calculate the random value is inserted, this time floor (random (0) * 2 ) may be the result 1, it will lead to conflict and error when inserted. I.e., detection and calculation of the disparity values in the two random number is inserted, the errors resulting in a conflict exists when the already inserted.
And inconsistencies mainly lost because the two will be calculated upon insertion error detection.
extractvalue error injection
ExtractValue(xml_frag, xpath_expr)
ExtractValue()It accepts two string arguments,
A fragment of XML tags xml_frag
An XPath expression xpath_expr (also called a locator);
The first parameter can be passed target xml file, the second parameter is represented by the search path Xpath path method
principle
If Xpath syntax format clerical error, it will error. Here is the use of this feature to get what we want to know.
updatexml error injection
First understand the function under updatexml ()
UPDATEXML (XML_document, XPath_string, new_value); The first argument: XML_document is String format, the name of the XML document object, the text for Doc second argument: XPath_string (Xpath string format), if not understand Xpath syntax, you can find tutorials online. The third argument: new_value, String format, replace the found qualified data function of the role: change the value of a document node qualified
principle
If the value of XPath_string does not meet the xpath syntax error occurs, the error message will prompt the data error
So we inject our return the data results in this parameter in