What is Blind SQL Injection? (什么是SQL盲注?)

When an attacker executes SQL Injection attacks sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application rather then getting a useful error message they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through sql statements.

Additional information on SQL injection including useful articles and links can be found at our SQL Injection page below http://www.cgisecurity.com/development/sql.shtml

中文翻译:

当攻击者执行SQL注入攻击有时服务器回应错误讯息,抱怨说,数据库服务器的SQL查询的语法是不正确的。盲目的SQL注入是相同的,除了正常的SQL注入时,攻击者试图利用一个应用,而不是得到一个有用的错误信息,他们得到一个通用网页指定的开发商代替。这使得利用一个潜在的SQL注入攻击变得更加困难,但不是不可能。攻击者可以窃取数据仍然要求一系列的真假问题,通过SQL语句。

欲了解更多有关SQL注入包括有用的文章和链接可以找到我们的SQL注入页以下http://www.cgisecurity.com/development/sql.shtml

一个IBM员工制作的SQL盲注视频:
http://download.boulder.ibm.com/ibmdl/pub/software/dw/richmedia/rational/08/appscan_demos/blindsqlinjection/viewer.swf

Related Posts