DVWA靶场-SQL Injection (Blind)SQL注入盲注

概念

SQL Injection(Blind),即SQL盲注;

注入:可以查看到详细内容;

盲注:目标只会回复是或不是,没有详细内容;

盲注,与一般注入的区别在于,一般的注入攻击者可以直接从页面上看到注入语句的执行结果,而盲注时攻击者通常是无法从显示页面上获取执行结果,甚至连注入语句是否执行都无从得知,因此盲注的难度要比一般注入高。

类型

基于布尔值的盲注;

基于时间的盲注;

基于报错的盲注;

基于布尔值的盲注

基于布尔型SQL盲注即在SQL注入过程中,应用程序仅仅返回True(页面)和False(页面)。 这时,我们无法根据应用程序的返回页面得到我们需要的数据库信息。但是可以通过构造逻辑判断(比较大小)来得到我们需要的信息。 

常用函数

if()
功能:条件判断。
语法格式:if(expr1,expr2,expr3):expr1为true则返回expr2,expr1为false则返回expr3。
注:仅MySQL支持if(expr1,expr2,expr3)。

left()
功能:截取具有指定长度的字符串的左边部分。
语法格式:left(str,length),如果str或length参数为NULL,则返回NULL值。
参数说明
str:要提取子串的字符串。
length:正整数,指定将从左边返回的字符数。length为0或为负,则LEFT返回一个空字符串
length大于str字符串的长度,则leftO返回整个str字符串。

length()
功能:返回字符串的长度,以字节为单位。
语法格式:length(str)

substr()、substring()
功能:从指定的位置开始,截取字符串指定长度的子串。
语法格式:substr(str,pos)或substr(str,pos,len),substring(str,pos)substring(str,pos,len)
参数说明
str:要提取子串的字符串。
pos:提取子串的开始位置
len:指定要提取的子串的长度

ascii()、ord()
功能:返回字符串最左边字符的ASCII码值
语法格式:ascii(str),ord(str)

cast()、convert()
功能:获取一个类型的值,并产生另一个类型的值。
>语法格式:cast(value as type),convert(value,type)

 基于时间的盲注

 

基于时间的SQL盲注又称延时注入,即使用具有延时功能的函数sleep、benchmark等,通过判断这些函数是否正常执行来获取数据库中的数据

sleep()
功能:让语句延退执行一段时间,执行成功后返回0。
语法格式:sleep(N),即延退执行N秒。

benchmark()
功能:让某语句执行一定的次数,执行成功后返回0。
语法格式:benchmark(coun,texpr),即让expr执行count次
注:仅MySQL支持该函数。

 基于报错的盲注

 

基于报错的SQL盲注是通过输入特定语句使页面报错,网页中则会输出相关错

### DVWA SQL Blind Injection Medium Level Attack Method Tutorial In the context of DVWA (Damn Vulnerable Web Application), exploiting a SQL blind injection vulnerability at the medium difficulty level involves understanding how to interact with the application and craft specific payloads that can infer database structure or content based on true/false responses. The command provided serves as an example payload used within such attacks, specifically designed to retrieve table names from the current database schema by leveraging conditional logic in queries: ```sql select table_name from information_schema.tables where table_schema=database()[^1] ``` For executing this type of attack against DVWA's SQLi Blind challenge set to 'Medium', one approach is using automated tools like SqlMap which simplifies the process significantly. An invocation might look similar to what has been shared previously: ```bash py3 sqlmap.py -u "http://192.168.123.20/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="PHPSESSID=248dmjg65dksvfvf8kk0k7vqj0; security=low" --current-db[^2] ``` This tool automates much of the work involved in detecting vulnerabilities, extracting data through time-based boolean conditions without direct output feedback, and even taking over databases under certain circumstances—all while adhering to user-defined constraints regarding legality and ethics. When performing manual exploitation for educational purposes only, consider crafting custom scripts or modifying existing ones according to your environment setup. The key lies in constructing queries that cause different behaviors depending on whether they evaluate to true or false, allowing inference about underlying structures indirectly via side-channel observations. --related questions-- 1. How does changing the security level affect the effectiveness of SQL injection techniques? 2. What are some common defenses implemented against SQL injections? 3. Can you explain more about Information Schema Tables and their role in discovering database objects during penetration testing? 4. Are there any particular challenges associated with exploiting blind SQL injections compared to error-based methods?
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值