Example of Webgote (6) SQL injection (blind)

  SQL injection-blind (ws/soap)

In this issue, the blinds are shown. Some websites in the place with the database to do a good job of modification, the error statement to modify, even if you find the injection point can not get data, this time our steps are more troublesome, we can only through the wrong way to blind (shown below)

First we take a look at this is a normal display page.

Add a point after there is a different place .... the number of movie tickets is gone ...

The SQL System statement error is also very well masked out. Let's add a note to see

after entering an annotation, the page returns to normal. There are still holes in this place (this is another technique to demonstrate here -the blinds.) ）

we add an or statement that does not conflict with the following select User () and the statement is deliberately lost and correct. See what is wrong with the page, according to the above display results to see the return page is also changing the description of the statement in the background is actually executed.

At this point, we're going to make a change to our statement. The general idea is as follows:

1. Let's write our injection statement in full.
2. Turn the return result of the statement we want to check into a string.
3. Truncate all characters of a string
4. converts each character to an ASCII code and then confirms the character by its size

The following methods are used:

Adding aquery in SUBSTR (SQL), x, Y,//(sql) allows you to turn the returned result into a character and truncate the character of this string by the beginning of the X-Y.

ASCII ()//This method converts the ASCII code corresponding to the character and displays it.

The following example :

The above statement is simple: The result of select User () uses substr () to intercept the first character of the string, and then use the ASCII () method to turn the ASCII code to one by one.

Like what:

(ASCII (substr ((select User ()), 2,1)) >90)

This ASCII value no greater than 90 if correct then should display 53 of that number is wrong, and then try (ASCII (substr ((select User ()), 2,1)) =>100) is displayed correctly the number of 53 is the inverse of the error, which reduces the scope gradually by analogy. Finally determine the number.

ASCII values we can see that in the database database is recognized ASCII can also be identified.

Or Baidu we can take a watch to see

we write down the results of these final decisions (e.g.) so that we can get the data by ASCII code.

so the user is out. the most common way to find the injection point is to look for a display bit and then use a federated query. Like this one to try this way of getting data is blind. This way of doing more trouble efficiency is relatively low, the latter has a higher efficiency of the method, this back again, the above is the content of this demonstration.

Example of Webgote (6) SQL injection (blind)