table of Contents
Blinds based on boolian
The error message is shielded, and only two situations are displayed: correct and incorrect
Try entering single quotes
Type and try
The more important bool injection is the value and operation functions such as lenth(), substr() function and ascii() function. The substr() function intercepts the letters of the string, and can participate after transcoding into numbers through the ascii() function Math is done. Such as:
Start injection: kobe' and ascii(substr(database(),1,1))>113#
If the content is displayed, the following expression is true, otherwise it is false
kobe' and ascii(substr(database(),1,1))=112#
kobe' and ascii(substr((select TABLE_NAME from INFORMATION_SCHEMA.tables where TABLE_SCHEMA=database() limit 0,1),1,1))<112#
If the bool-based injection can be judged based on 0 or 1, then the time-based blind injection means nothing can be seen, and you cannot judge whether your statement is executed from the displayed difference. At this time, time-based blinds can be introduced.
If it finds input, it will immediately echo and report an error
Enter kobe' and sleep(3)
It is found that the display is delayed by 3 seconds, so there is a vulnerability of sql time injection
That is to say, if the following statement is guessed correctly, it is delayed, and if it is incorrect, it will be echoed immediately.
kobe' and if((substr(database(),1,1))='p',sleep(5),null)#
wide byte injection
Capture packet after input injecting bytes
addslashes()function of the function is to add a backslash (
\') before the single quotation mark and other characters , after the url is encoded,
%5c%27.our payload is [%df'], which is added in front
%df( anything in
%81-%febetween), that is
%df%5c%27, the database at this time If GBK encoding is used, it will be regarded
%df%5cas a wide character, and the
%27single quotation mark will escape.
Order by field query, it is normal when you enter 2, and an error is reported when you enter 3, indicating that the number of fields is 2
Union joint query test the database:
Query table name: kobe%df' union select 1, group_concat(table_name) from information_schema.tables where table_schema=database()
'users'Single quotes are required next to the table name, so Burp can be used
'users'to convert it to
Details: https://blog.csdn.net/weixin_44426869/article/details/104341863?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522162271214816780366593073%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255 .%2522%257D&request_id=162271214816780366593073&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~first_rank_v2~rank_v29-9-104341863.first_rank_v2_pc_rank_v29&utm_term=p%ikachu%E5%AE97%BDE5%E5% 8A%82%E6%B3%A8%E5%85%A5&spm=1018.2226.3001.4187
For wide byte encoding, one of the best fixes is:
(1) Use mysql_set_charset (GBK) to specify the character set
(2) Use mysql_real_escape_string to escape
The principle is that the difference between mysql_real_escape_string and addslashes is that it will consider the currently set character set, and the problem of splicing e5 and 5c into one wide byte will not occur, but how to determine this "current character set"?
It is specified using mysql_set_charset.
The above two conditions are related to the "AND" operation, and none of them will work.