SQL Injection Based Time

Based on time SQL Inject , Apply to the situation that the page has no echo , Judge the data content through the delay of the page , Methods include the following

Let's discuss one by one , One study .
Also note , This article does not discuss filtering , Nor discuss grammatical deformation （ Don't be limited by the examples given ）; Also remember to read more from other Masters , Read more official documents ; If the content is wrong , Also please indicate , thank you .

sleep() function

sleep() Is the most common delay method , Widely applied , So that it is always filtered

Let's take a look at a simple SQL Query example

select * from user where id = '$_POST[a]'

When a=1' and sleep(3) --+ when ,SQL The sentence becomes ：select * from user where id = '1' and sleep(3) --+

utilize and Connect ,and The previous query is correct , perform sleep(3), Time delay 3 second ; error ,sleep(3) Don't execute

If the and Replace with or,SQL Statement for ：select * from user where id = '1' or sleep(3) --+

that sleep(3) The implementation of will not be affected by the image of the previous results , This can be used to determine whether there is an injection point

There are other characters that can play and And or The role of , Such as || ,^ ,= etc.

In this way , We can get information , Review the common functions used with blind notes again

Still above SQL Take a query statement as an example , Demonstrate simple ways to use （ The first method ）

The second method , Use ：if( expr1 , expr2 , expr3 ), however if The experience in blind injection is not good

expr1 It's true , perform exper2;expr1 For false , perform exper3.

select * from user where id = '1' and if(length(database())=1,sleep(3),1) --+

The third method , Use ：case … when … then … else … end

case There are two types of simple case and searched case, Say two , It should actually be case Two parameters of

simple case ：

CASE [col_name] WHEN [value1] THEN [result1]…ELSE [default] END

take case Value after col_name And each when The value after the clause value Make an equality comparison ：

If once with someone when If the values after the clause are equal, the corresponding then The value after the clause result;

If and all when The values after the clause are not equal , Then return to else The value after the clause ;

without else Part returns null.

Be careful ：value It can be literal 、 Expression or column name ,CASE The data type of the expression depends on the following then or else The type of the following expression

In short , such case The process of judgment is ,case Specify the name of a judgment parameter ( Name ),when Specify the parameter value later , When parameters = Parameter values , return ( perform ) Corresponding then Value after .

payload Examples ：

1' union select 1,case 1 when (substr(database(),1,1)='e') then sleep(2) else 1 end --+

union It can be replaced by and And give it to the back select Statement with parentheses （ Remind yourself all the time , Injection statements are flexible , Look at grammar more , Try grammar more , Don't let your mind be limited ）

searched case ：

CASE [col_name] WHEN [condition] THEN [result1]…ELSE [default] END

If a when Condition after clause condition by true, Then return the corresponding when The value after the clause result;

If all when Condition after clause condition Not for true, Then return to else The value after the clause ;

without else Part returns null.

The second category case With the first kind of usage in SQL Same in injection , For the time being, I don't think of the difference between the two here

About sleep() The content of comes to an end , With sleep The bedding of , see ( Write ) After that, the content will be much easier ,

GO, Start a new pose ！！

benchmark() function

Function interpretation ：

​ benchmark(arg1,arg2)

​ arg1 For the number of operations ,arg2 Function for operation

repeat arg1 Time arg2 expression , Increase processing time , The core idea of using it is through a great amount of computation （ Complex process ）, Increase the imperceptible delay to be easily scripted ( Written by someone , You must know the minimum time difference ) Degree of recognition , Later methods also follow this idea

To achieve results , The number of times should be very large , Sample construction ：

benchmark(1000000,encode("hello","good"))
benchmark(5000000, md5( 'test' ))

Run time query method to see another master link ： see mysql Statement run time

benchmark() And sleep() Both are functions , structure payload It's the same way , its “ Use ” The same is very extensive

The cartesian product

Hearing this name reminds me of the fear of being dominated by Discrete Mathematics , Fortunately, it's very simple here ,MySQL Support Cartesian product calculation , The set participating in the operation is the table （ Enough data is used , Watch with obvious delay ）, You can use your own watch information_schema, A lot of data , It doesn't matter if you're banned , There are other self-contained watches that can be used （ Be careful MySQL Version of ）

Sample construction ：

1'and (SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C);

According to this rule , from C Followed by a comma , Write D,E And so on. , In addition, use “ aggregate ” It can be the same ,

get_lock

The premise of using this method is that the database connection is a long connection , That is, the backend needs to use mysql_pconnect() Function to connect to the database .

Function interpretation :

​ get_lock(key, timeout)

Try using a string key（key It could be a number ----> Bypass the single quotation mark limit ） Get the lock with the specified name ,timeout Specify the lock time , The unit is in seconds , Negative values indicate infinite locking .

And the lock is dedicated , When by a session When held , other session Cannot get a lock with the same name

Attack example ：

session_A：

1' and get_lock(1,2) #

stay session_A Lock variables in the session 1

session_B：

1' and if(payload_key,get_lock(1,2),1) #

stay session_B Session execution blind note ,payload_key It's true , Two seconds later , If false, immediately ” The echo “

Regular bug/ Regular DOS RLIKE

Use a large number of regular calculations to extend the time , Implementation delay ,

rpad or repeat Construct a long string （ It's OK to fight by hand ）,

Sample construction ：

select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b')

stay MySQL in ,RLIKE Operator is used to determine whether the string matches the regular expression . It is REGEXP_LIKE() A synonym for .

grammar ：

expr RLIKE pat

among expr Is the input string ,pat Is the test string Regular expressions （ Remember to brush a wave MySQL Regular content of ）

If the string matches the provided regular expression , The result is 1, Otherwise 0.