A brief understanding of blind SQL injection

This article brings you relevant knowledge about SQL, which mainly introduces related issues about blind injection. Blind injection truncates the data results queried in the database into single characters, and then Let’s take a look at the same construction of logical statements. I hope it will be helpful to everyone.

## Recommended study: "

SQL Tutorial"

sql injection - blind injection

1. Review

Echo injection is mainly used to display the data in the database directly on the website page.

Error injection is mainly used when the original error information exists on the website page, and the data in the database is displayed in the original error information. Also known as error echo.
Principle: Due to the user's uncontrollable input, the attacker can enter malicious SQL statements arbitrarily, causing the SQL semantics to change, thereby causing risks to the database and operating system.

Risks: data operations, login bypass, file operations, command execution, registry operations.

Defense: filtering, precompilation.

2. Blind injection vulnerability scenario

1. The data in the database will not be displayed directly on the page. The query results will be judged, and the judged results will be output on the page. . For example, the login box

2. The syntax of insert, update, and delete does not have the data query function, and the data in the database will not exist on the page. Such as registration, information modification, data addition

3. Blind injection principle

Core Truncate the data results queried in the database into a single character, and then simultaneously Construct logical statements. The result of the query in the database is judged by judging whether the page display is abnormal or whether the page is demonstrated.

4. Classification

1.bool blind injection

If the corresponding data can be found in the database, the page will be displayed normally, otherwise it will be abnormal.

2. Time blind injection

No matter what data is input, the effect of the page is exactly the same. The results of the query in the database can be judged based on whether the page is delayed.

5. Process

1. Find the suspected injection point, find the input point, and find the place that interacts with the database

2. Determine whether the sql injection contains a malicious sql statement, and submit it The response information of the page is consistent with expectations, which indicates that injection exists.
3. Get the database name

1.获取当前数据库名
	and ascii(substr((select database()),1,1))=115
2.获取所有数据库名
	and (select ascii(substr(group_concat(schema_name),1,1)) from information_schema.schemata)>0

3. Calculate the length of the data to be obtained

and (select length(group_concat(schema_name)) from information_schema.schemata)>10 --+

4. Get the table

5. Get the columns
6. Get the data

6. Time blind injection

and if(((select database())='a'),sleep(5),0)--+

7. Summary

Time blind injection can occur wherever echo, error reporting, and bool injection can occur. If not, echo reporting and error reporting can occur. The place where bool type blind injection can be done, but not vice versa.

8.sqlmap

SQL injection automation tool, developed in python2, is compatible with python3. The use of sqlmap actually simulates the request process of people to the website, and can collect, analyze and display the obtained data.

python sqlmap.py -h	查看sqlmap可使用的参数
                 -u 网站的url	向sqlmnap提供注入点

–dbs Get all database names

-D Specify library --tables Get information about all tables in the specified database

-D Specify the library-T Specify the table--columns

-D Specify the library-T Specify the table-C Column 1, column 2 --dump

-r 'File name'

Recommended study: "

SQL Tutorial"

The above is the detailed content of A brief understanding of blind SQL injection. For more information, please follow other related articles on the PHP Chinese website!