Blind SQL Injection --from DVWA --2021-12-9

Description

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
盲 SQL（结构化查询语言）注入是一种 SQL 注入攻击，它向数据库询问真假问题并根据应用程序响应确定答案。 当 Web 应用程序配置为显示通用错误消息，但未缓解易受 SQL 注入攻击的代码时，通常会使用此攻击。
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. .
当攻击者利用 SQL 注入时，有时 Web 应用程序会显示来自数据库的错误消息，抱怨 SQL 查询的语法不正确。 SQL 盲注与普通 SQL 注入几乎相同，唯一的区别是从数据库中检索数据的方式。 当数据库没有向网页输出数据时，攻击者通过向数据库询问一系列真假问题来强制窃取数据。 这使得利用 SQL 注入漏洞更加困难，但并非不可能。

Examples

An attacker may verify whether a sent request returned true or false in a few ways:

content-based

Using a simple page, which displays an article with given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.

Example URL:

http://newspaper.com/items.php?id=2

sends the following query to the database:

SELECT title, description, body FROM items WHERE ID = 2

The attacker may then try to inject a query that returns ‘false’:

http://newspaper.com/items.php?id=2 and 1=2

Now the SQL query should looks like this:

SELECT title, description, body FROM items WHERE ID = 2 and 1=2

If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will inject a query that will return ‘true’:

http://newspaper.com/items.php?id=2 and 1=1

If the content of the page that returns ‘true’ is different than that of the page that returns ‘false’, then the attacker is able to distinguish when the executed query returns true or false.

Once this has been verified, the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker’s imagination.

time-based

This type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:
这种 SQL 盲注入依赖于数据库暂停指定的时间，然后返回结果，表明 SQL 查询执行成功。 使用此方法，攻击者使用以下逻辑枚举所需数据的每个字母：
If the first letter of the first database’s name is an ‘A’, wait for 10 seconds.

If the first letter of the first database’s name is an ‘B’, wait for 10 seconds. etc.

Microsoft SQL Server

http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--

MySQL

SELECT IF(expression, true, false)

Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the expression is True.

BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))

will execute the ENCODE function 5000000 times.

Depending on the database server’s performance and load, it should take just a moment to finish this operation. The important thing is, from the attacker’s point of view, to specify a high-enough number of BENCHMARK() function repetitions to affect the database response time in a noticeable way.
根据数据库服务器的性能和负载，完成此操作应该只需要一点时间。 重要的是，从攻击者的角度来看，指定足够多的 BENCHMARK() 函数重复次数以显着影响数据库响应时间。

Example combination of both queries:

1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;

If the database response took a long time, we may expect that the first user password character with user_id = 1 is character ‘2’.

(CHAR(50) == '2')

Using this method for the rest of characters, it’s possible to enumerate entire passwords stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn’t change.

Obviously, in this example, the names of the tables and the number of columns was specified. However, it’s possible to guess them or check with a trial and error method.
显然，在此示例中，指定了表的名称和列数。但是，可以猜测它们或使用试错法进行检查。

Databases other than MySQL also have time-based functions which allow them to be used for time-based attacks:

MS SQL: 'WAIT FOR DELAY '0:0:10''
PostgreSQL: pg_sleep()

Conducting Blind SQL Injection attacks manually is very time consuming, but there are a lot of tools which automate this process. One of them is SQLMap partly developed within OWASP grant program. On the other hand, tools of this kind are very sensitive to even small deviations from the rule. This includes:
手动执行盲 SQL 注入攻击非常耗时，但有很多工具可以自动执行此过程。其中之一是部分在 OWASP 资助计划中开发的 SQLMap。另一方面，这种工具即使对规则的微小偏差也非常敏感。这包括：

scanning other website clusters, where clocks are not ideally synchronized,
WWW services where argument acquiring method was changed, e.g. from /index.php?ID=10 to /ID,10
扫描其他网站集群，其中时钟不理想同步，
改变了参数获取方法的 WWW 服务，例如从 /index.php?ID=10 到 /ID,10

Remote Database Fingerprinting 远程数据库指纹

If the attacker is able to determine when their query returns True or False, then they may fingerprint the RDBMS. This will make the whole attack much easier. If the time-based approach is used, this helps determine what type of database is in use. Another popular methods to do this is to call functions which will return the current date. MySQL, MSSQL, and Oracle have different functions for that, respectively now(), getdate(), and sysdate().
如果攻击者能够确定他们的查询何时返回 True 或 False，那么他们就可以对 RDBMS 进行指纹识别。 这将使整个攻击变得更加容易。 如果使用基于时间的方法，这有助于确定正在使用的数据库类型。 另一种流行的方法是调用将返回当前日期的函数。 MySQL、MSSQL 和 Oracle 对此具有不同的函数，分别为 now()、getdate() 和 sysdate()。

原文链接： https://owasp.org/www-community/attacks/Blind_SQL_Injection