Blind SQL Injection

SQL盲注详解：原理、方法及防范措施

最新推荐文章于 2025-06-18 16:18:21 发布

翻译最新推荐文章于 2025-06-18 16:18:21 发布 · 4.3k 阅读

渗透测试相关专栏收录该内容

37 篇文章

订阅专栏

本文深入探讨了SQL盲注攻击的原理、常见方法以及如何防范SQL盲注。包括基于内容和时间的盲注技术，以及如何通过SQLMap等工具自动化这一过程。同时，提供了关于避免SQL注入漏洞的控制措施和相关资源。

https://www.owasp.org/index.php/Blind_SQL_Injection

Description

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

SQL盲注是一种典型的SQL注入攻击，该攻击询问数据库对的或者错的问题并根据应用程序的响应判断答案。该攻击常用于攻击可以显示常见错误信息且没有设置缓解代码的网络应用程序。

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible.

当攻击者利用SQL注入攻击时，有时网页应用程序会显示来自数据库的错误信息（如SQL语句语法错误等）。SQL盲注几乎与一般的SQL相同，唯一的不同是从数据库中检索数据的方式不同。当数据库不向网页输出数据，攻击者只能通过向数据库发出一系列的正确或者错误的问题来窃取数据。这使得利用SQL注入漏洞更加困难，但是不是不可能利用SQL注入漏洞进行攻击。

Examples

An attacker may verify whether a sent request returned true or false in a few ways:

攻击者可以通过以下几种方式验证一个请求返回的是正确还是错误：

Content-based

基于内容的方法

Using a simple page, which displays an article with given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.

使用一个简单的页面，如指定ID参数显示一篇文章，攻击者可以进行一系列简单的测试来测试页面是否可以利用SQL注入进行攻击。

Example URL:

http://newspaper.com/items.php?id=2

sends the following query to the database:

SELECT title, description, body FROM items WHERE ID = 2

The attacker may then try to inject a query that returns 'false':

http://newspaper.com/items.php?id=2 and 1=2

Now the SQL query should looks like this:

SELECT title, description, body FROM items WHERE ID = 2 and 1=2

If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will inject a query that will return 'true':

如果页面存在SQL注入漏洞，此次查询可能不返回任何东西。为了确定这个漏洞，攻击者可以插入一个可以返回true值的查询：

http://newspaper.com/items.php?id=2 and 1=1

If the content of the page that returns 'true' is different than that of the page that returns 'false', then the attacker is able to distinguish when the executed query returns true or false.

如果返回true的页面的内容与返回false的页面的内容不同，那么攻击者就可以区分查询语句什么情况返回的是true，什么情况返回的是false。

Once this has been verified, the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker's imagination.

一旦确定了上述问题，攻击者进行攻击的受限条件只有：数据库管理员的权限设置、不同的SQL语法和攻击者的想象力。

Time-based

基于时间的方法

This type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:

该类型的SQL盲注依赖于数据库会暂停一段时间，并返回结果，意味着SQL查询执行成功。使用这个方法，攻击者对每个时间片枚举每个字符，类似于下面的逻辑：

If the first letter of the first database's name is an 'A', wait for 10 seconds.

If the first letter of the first database's name is an 'B', wait for 10 seconds. etc.

Microsoft SQL Server

http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--

MySQL

SELECT IF(expression, true, false)

Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the expression is True.

BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))

- will execute the ENCODE function 5000000 times.

Depending on the database server's performance and load, it should take just a moment to finish this operation. The important thing is, from the attacker's point of view, to specify a high-enough number of BENCHMARK() function repetitions to affect the database response time in a noticeable way.

根据数据库服务器的性能和负载情况，数据库可以使用一小段时间完成这个操作。从攻击者角度来看，重要的一点是攻击者可以以一种明显的方式指定足够多次的BENCHMARK()函数影响数据库的响应时间。

Example combination of both queries:

1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;

If the database response took a long time, we may expect that the first user password character with user_id = 1 is character '2'.

如果数据库响应花费大量时间，我们可能获得user_id为1的用户的密码的第一个字符，第一个字符为'2'.

(CHAR(50) == '2')

Using this method for the rest of characters, it's possible to enumerate entire passwords stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn't change.

Obviously, in this example, the names of the tables and the number of columns was specified. However, it's possible to guess them or check with a trial and error method.

Databases other than MySQL also have time-based functions which allow them to be used for time-based attacks:

MS SQL 'WAIT FOR DELAY '0:0:10
PostgreSQL - pg_sleep()

Conducting Blind_SQL_Injection attacks manually is very time consuming, but there are a lot of tools which automate this process. One of them is SQLMap (http://sqlmap.org/) partly developed within OWASP grant program. On the other hand, tools of this kind are very sensitive to even small deviations from the rule. This includes:

scanning other website clusters, where clocks are not ideally synchronized,
WWW services where argument acquiring method was changed, e.g. from /index.php?ID=10 to /ID,10

Remote Database Fingerprinting

If the attacker is able to determine when his query returns True or False, then he may fingerprint the RDBMS. This will make the whole attack much easier. If the time-based approach is used, this helps determine what type of database is in use. Another popular methods to do this is to call functions which will return the current date. MySQL, MSSQL, and Oracle have different functions for that, respectively now(), getdate(), and sysdate().