"Notes" NetEase micro-professional-web security Engineer -04.web Safe Combat -8.sql Blind Note

In the previous section we introduced the principle of SQL injection and harm, this section we want to combat SQL blind, compared with ordinary SQL injection, the results of the database returned will not be displayed on the page, will only return success/failure or TRUE/false, which virtually increased the difficulty we inject.

A way of thinking about SQL blinds: Take the WHERE statement "true and True = True", "true and False = False", put the conditions we need to determine after and, when our guess is true then return to True, guess error then return to false. How to apply it specifically? We study in the actual combat.

DVWA Combat:

1. Open Phpstudy or XAMPP, run Apach and MySQL;

2. The browser enters DVWA main interface, select DVWA security Level low in the left column, then enter SQL injection (blind);

We find that when we enter the ID, only the return tells us that the user does not exist. If we enter 1 ' and ' 1024 ' = ' 1024, the hint exists, because ' 1024 ' = ' 1024 ' is true, and if it is 1 ' and ' 1024 ' = ' 1025, then the hint does not exist.

Using the above method, we can try to obtain the length of the database name, enter:

1 ' and Length (database ()) =1 # hint does not exist

1 ' and Length (database ()) =2 # hint does not exist

1 ' and Length (database ()) =3 # hint does not exist

1 ' and Length (database ()) =4 # hint exists

So we know the length of the database name is 4, followed by guessing the database name, in the first character as an example, enter:

1 ' and ASCII (substr (databse ()) >97 # The first character has an ASCII value greater than 97 (i.e. lowercase a)

Hint exists, the first character ASCII is greater than a, we use the dichotomy to narrow down the range, and finally get the first character is lowercase d, using the same method, can put 4 characters nonalphanumeric try out:dvwa.

Using this idea, we can get the field name, the database name, the user, the password and so on as the previous section, but we find that the blinds need more labor and more cumbersome than the previous one, so Sqlmap is the artifact of liberating the labor force.

In addition to this idea, we have another way to delay injection, that is, when the condition is true, the delay is returned:

1 ' And if (length (Database ()) =4,sleep (5), 1) #, message delay, indicating if condition is true, the length of the database name is 4 characters;

3. About the Medium,high and impossible levels of SQL blinds, the idea is similar to the previous section, here will not repeat.

Notes NetEase Micro-professional-web security Engineer -04.web Safe Combat -8.sql Blind Note