Shulou(Shulou.com)06/02 Report--

This article mainly shows you the "Web security parsing Boolean injection attack principle example analysis", the content is easy to understand, clear, hope to help you solve doubts, the following let the editor lead you to study and learn "Web security parsing Boolean injection attack principle example analysis" this article.

1. Boolean injection attack

The test address for the Boolean injection attack is http://127.0.0.1/sqli/boolean.php?id=1.

When you visit the site, the page returns yes, as shown in figure 19.

Figure 19. The result of the page when accessing id=1

Add a single quotation mark after URL, visit it again, and find that the returned result has changed from yes to no, as shown in figure 20.

Figure 20 the result of the page when accessing id=1'

Visit id=1' and 1: 1% 23. I found that the returned results are yes and no, respectively. I prefer the value of ID, and the value returned is still yes or no. It can be judged that the page only returns yes or no, but no data in the database, so Union injection cannot be used here.

Here you can try to use Boolean injection. Boolean injection refers to the construction of SQL judgment statements to guess which SQL judgment conditions are valid by viewing the returned results of the page, so as to obtain the data in the database. Let's first determine the length of the database name, as shown in the following statement.

Because the query statement is preceded by single quotation marks, there will be an extra single quote when concatenated with the SQL statement in the source code, so you need a comment character to comment on it.

In the http request, + is replaced with a space combined with-- to form a comment character, and the space can also be replaced by% 20, which is equivalent to -% 20.

Because # is used to guide browser actions and is completely useless on the server side, # is not included in the HTTP request. Any character that appears after the first # is interpreted by the browser as a location identifier. This means that none of these characters will be sent to the server. So if you want to use the # commentator, convert # to% 23.

Therefore, the above sentence can also be written as follows:

'and length (database ()) > = 1 Murray% 20

Or

'and length (database ()) > = 1% 23

The position of 1 can be any number, such as' and length (database ()) > = 3murmuri + and 'and length (database ()) > = 4PUBG]. We can construct such a statement, and then observe it without returning a result, as shown in figure 21. 23.

Figure 21 determines the length of the database name (1)

Figure 22 determines the length of the database name (2)

Figure 23 determines the length of the database name (3)

The above statements mean that the length of the database name is greater than or equal to 3, the result is that the name of the yes; database is greater than or equal to 4, and the result is no. Combined with the above statements, we can judge that the length of the database is 3.

Then, we use the character-by-character method to get the database people. The range of database names is generally within axiz, 0,9, and there may be some special characters, where letters are not case-sensitive. The SQL statement to judge character by character is:

'and substr (database (), 1jue 1) =' tonal murmuri +

Substr means to intercept, meaning to intercept the value of database (), starting with the first character and returning only one at a time.

The usage of substr is different from that of limit, which should be paid attention to. Limit sorts from 0, while substr sorts from 1. You can use the blasting function of Burp to blast the character value of each position, as shown in figure 24, and the blasting result is shown in figure 25.

Fig. 24 Library name of blasting database using Burp (1)

Figure 25 Library name of blasting database using Burp (2)

In fact, you can also use the ASCII character to query, t's ASCII code is 116. in MySQL, the ASCII conversion function is ord (), then the character-by-character SQL statement should be as follows.

'and ord (substr (database (), 1meme 1)) = 116muri +

We know from the Union injection and Burp explosion results that the database name is' test'.

The statements that query the table name and field name should also be pasted in the location of database (). We already know from the Union injection that the first table name of the database 'test' is emails, the first letter should be e, and the judgment statement is as follows.

'and substr ((select table_name from information_schema.tables where table_schema='test' limit 0prime1), 1meme1) =' ethereal murmuri +

And so on, all the table and field names can be queried, as shown in figure 27, and the result of blasting with Burp is shown in figure 28.

2. Boolean injection code analysis

The GET parameter ID is obtained in the middle of the Boolean injection page, and whether there are dangerous characters such as union/sleep/benchmark is determined by pre_match. The parameter ID is then concatenated into the SQL statement and queried from the database. If there is a result, yes is returned, otherwise no is returned. When you visit the page, the code returns yes or no based on the results of the database query, instead of any data in the database, so the yes or no is intelligently displayed on the page, as shown below.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.