Blind SQL Injection

本文深入探讨了SQL盲注攻击的原理、常见方法以及如何防范SQL盲注。包括基于内容和时间的盲注技术,以及如何通过SQLMap等工具自动化这一过程。同时,提供了关于避免SQL注入漏洞的控制措施和相关资源。

https://www.owasp.org/index.php/Blind_SQL_Injection


Description

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

SQL盲注是一种典型的SQL注入攻击,该攻击询问数据库对的或者错的问题并根据应用程序的响应判断答案。该攻击常用于攻击可以显示常见错误信息且没有设置缓解代码的网络应用程序。

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible.

当攻击者利用SQL注入攻击时,有时网页应用程序会显示来自数据库的错误信息(如SQL语句语法错误等)。SQL盲注几乎与一般的SQL相同,唯一的不同是从数据库中检索数据的方式不同。当数据库不向网页输出数据,攻击者只能通过向数据库发出一系列的正确或者错误的问题来窃取数据。这使得利用SQL注入漏洞更加困难,但是不是不可能利用SQL注入漏洞进行攻击。


Examples

An attacker may verify whether a sent request returned true or false in a few ways:

攻击者可以通过以下几种方式验证一个请求返回的是正确还是错误:

Content-based

基于内容的方法

Using a simple page, which displays an article with given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.

使用一个简单的页面,如指定ID参数显示一篇文章,攻击者可以进行一系列简单的测试来测试页面是否可以利用SQL注入进行攻击。

Example URL:

http://newspaper.com/items.php?id=2

sends the following query to the database:

SELECT title, description, body FROM items WHERE ID = 2

The attacker may then try to inject a query that returns 'false':

http://newspaper.com/items.php?id=2 and 1=2

Now the SQL query should looks like this:

SELECT title, description, body FROM items WHERE ID = 2 and 1=2

If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will inject a query that will return 'true':

如果页面存在SQL注入漏洞,此次查询可能不返回任何东西。为了确定这个漏洞,攻击者可以插入一个可以返回true值的查询:

http://newspaper.com/items.php?id=2 and 1=1

If the content of the page that returns 'true' is different than that of the page that returns 'false', then the attacker is able to distinguish when the executed query returns true or false.

如果返回true的页面的内容与返回false的页面的内容不同,那么攻击者就可以区分查询语句什么情况返回的是true,什么情况返回的是false。

Once this has been verified, the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker's imagination.

一旦确定了上述问题,攻击者进行攻击的受限条件只有:数据库管理员的权限设置、不同的SQL语法和攻击者的想象力。

Time-based

基于时间的方法

This type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:

该类型的SQL盲注依赖于数据库会暂停一段时间,并返回结果,意味着SQL查询执行成功。使用这个方法,攻击者对每个时间片枚举每个字符,类似于下面的逻辑:

If the first letter of the first database's name is an 'A', wait for 10 seconds.

If the first letter of the first database's name is an 'B', wait for 10 seconds. etc.

Microsoft SQL Server

http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--

MySQL

SELECT IF(expression, true, false)

Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the expression is True.

BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))
- will execute the ENCODE function 5000000 times.

Depending on the database server's performance and load, it should take just a moment to finish this operation. The important thing is, from the attacker's point of view, to specify a high-enough number of BENCHMARK() function repetitions to affect the database response time in a noticeable way.

根据数据库服务器的性能和负载情况,数据库可以使用一小段时间完成这个操作。从攻击者角度来看,重要的一点是攻击者可以以一种明显的方式指定足够多次的BENCHMARK()函数影响数据库的响应时间。

Example combination of both queries:

1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;

If the database response took a long time, we may expect that the first user password character with user_id = 1 is character '2'.

如果数据库响应花费大量时间,我们可能获得user_id为1的用户的密码的第一个字符,第一个字符为'2'.

(CHAR(50) == '2')

Using this method for the rest of characters, it's possible to enumerate entire passwords stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn't change.

Obviously, in this example, the names of the tables and the number of columns was specified. However, it's possible to guess them or check with a trial and error method.

Databases other than MySQL also have time-based functions which allow them to be used for time-based attacks:

  • MS SQL 'WAIT FOR DELAY '0:0:10
  • PostgreSQL - pg_sleep()

Conducting Blind_SQL_Injection attacks manually is very time consuming, but there are a lot of tools which automate this process. One of them is SQLMap (http://sqlmap.org/) partly developed within OWASP grant program. On the other hand, tools of this kind are very sensitive to even small deviations from the rule. This includes:

  • scanning other website clusters, where clocks are not ideally synchronized,
  • WWW services where argument acquiring method was changed, e.g. from /index.php?ID=10 to /ID,10

Remote Database Fingerprinting

If the attacker is able to determine when his query returns True or False, then he may fingerprint the RDBMS. This will make the whole attack much easier. If the time-based approach is used, this helps determine what type of database is in use. Another popular methods to do this is to call functions which will return the current date. MySQL, MSSQL, and Oracle have different functions for that, respectively now()getdate(), and sysdate().

Related Threat Agents

Same as for SQL Injection

Related Attacks

Related Vulnerabilities

Related Controls

See the OWASP Development Guide article on how to Avoid SQL Injection Vulnerabilities. 
See the OWASP SQL Injection Prevention Cheat Sheet.

See the OWASP Code Review Guide article on how to Review Code for SQL Injection Vulnerabilities.

See the OWASP Testing Guide article on how to Test for SQL Injection Vulnerabilities.

References

Online Resources

Tools

<think>好的,我现在需要帮助用户解决在Acunetix中打开盲注SQL注入检测界面的问题。首先,我得回忆一下Acunetix的基本操作流程。根据用户的问题,他们可能已经使用过这个工具,但需要具体的步骤指导。 首先,我应该考虑用户的需求是找到盲注SQL注入的检测设置。Acunetix作为一款Web漏洞扫描器,通常会有不同的扫描策略和配置选项。盲注SQL注入属于SQL注入的一种类型,可能在扫描配置里有专门的选项。 接下来,我需要分解步骤。通常这类工具的操作流程是:启动扫描,配置扫描策略,选择目标,然后开始扫描。用户的问题集中在如何开启特定的检测界面,所以可能需要进入扫描设置中的特定部分,比如漏洞类型或扫描策略。 然后,我需要确认Acunetix的界面布局。通常,扫描设置里会有“扫描策略”或“漏洞类型”选项,用户可以在这里选择要检测的漏洞类型。盲注SQL注入可能默认是启用的,但用户可能需要手动确认或调整设置。此外,有些工具允许自定义策略,用户可能需要创建一个新的策略或者修改现有策略来确保盲注注入被包含。 另外,用户可能需要指导如何访问扫描配置的具体位置。例如,在新建扫描时,通常会有一个步骤是选择扫描类型或策略,这里可能需要展开高级设置或漏洞类别,找到SQL注入相关的选项,并勾选盲注类型。 同时,考虑到用户可能对界面不熟悉,应该提供具体的导航步骤,比如点击哪些菜单或选项卡,如何进入策略配置等。如果存在不同的版本,可能需要说明不同版本之间的差异,但通常主流版本的布局不会有太大变化。 还需要注意,用户可能希望了解是否需要进行额外配置,比如设置代理或调整请求参数,以更好地检测盲注漏洞。这时候可能需要提到在扫描设置中的高级选项,或者推荐使用手动测试工具如sqlmap来辅助验证。 最后,生成相关问题时,应该围绕Acunetix的使用、SQL注入检测的其他方法、配置优化等方向提问,确保问题与用户当前的需求相关,并且能够帮助他们进一步了解漏洞扫描的各个方面。</think>在Acunetix Web Vulnerability Scanner中开启盲注SQL注入检测需要以下步骤: 1. **新建扫描** - 主界面点击"New Scan"按钮 - 输入目标URL地址后点击"Next" 2. **配置扫描策略** - 在"Scan Settings"界面选择"Scanning Strategy" - 展开"Vulnerability Categories"部分 - 勾选"SQL Injection"下的"Blind SQL Injection"选项[^1] 3. **高级配置(可选)** - 在"Advanced Settings"中可调整: - 请求延迟时间(建议设置为5-10秒) - 注入payload强度 - 错误模式识别参数 ```text 配置路径示例: Scan Policy > Vulnerability Categories > SQL Injection > Blind SQL Injection ``` 4. **保存策略** - 建议将配置保存为自定义策略(Save as New Policy) - 后续扫描可直接调用该策略 注意:Acunetix默认扫描策略已包含盲注检测,但需确认目标应用支持时间延迟等检测方法[^2]。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值