mysql盲注常用函数

mysql盲注常用函数

char_length(str),length(str)

计算字符长度

eg:select length(database());

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
mysql> select database();
+------------+
| database() |
+------------+
| django     |
+------------+
1 row in set (0.00 sec)

mysql> select length(database());
+--------------------+
| length(database()) |
+--------------------+
|                  6 |
+--------------------+
1 row in set (0.24 sec)

mysql> select length(database())>6;
+----------------------+
| length(database())>6 |
+----------------------+
|                    0 |
+----------------------+

1 row in set (0.05 sec)

left(str,numbers)
从左开始截取字符串strnumber个字符

eg: select left(database(),2);

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
mysql> select database();
+------------+
| database() |
+------------+
| django     |
+------------+
1 row in set (0.00 sec)
mysql> select left(database(),2);
+--------------------+
| left(database(),2) |
+--------------------+
| dj                 |
+--------------------+
1 row in set (0.00 sec)
mysql> select left(database(),2)='dj';
+-------------------------+
| left(database(),2)='dj' |
+-------------------------+
|                       1 |
+-------------------------+
1 row in set (0.10 sec)
mysql> select left(database(),2)='q';
+------------------------+
| left(database(),2)='q' |
+------------------------+
|                      0 |
+------------------------+
1 row in set (0.00 sec)

substring(str,start,number),substr(str,start,number)

从start开始位置取出number个字符

eg:select substr((select database()),1,1);

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
mysql> select database();
+------------+
| database() |
+------------+
| django     |
+------------+
1 row in set (0.00 sec)
mysql> select substr((select database()),1,1);
+---------------------------------+
| substr((select database()),1,1) |
+---------------------------------+
| d                               |
+---------------------------------+
1 row in set (0.43 sec)
mysql> select substr((select database()),1,1)='a';
+-------------------------------------+
| substr((select database()),1,1)='a' |
+-------------------------------------+
|                                   0 |
+-------------------------------------+
1 row in set (0.00 sec)
mysql> select substr((select database()),1,1)='d';
+-------------------------------------+
| substr((select database()),1,1)='d' |
+-------------------------------------+
|                                   1 |
+-------------------------------------+
1 row in set (0.00 sec)

mid(str,start,number)

从start开始位置取出number个字符

eg:select mid(database(),1,1);

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
mysql> select database();
+------------+
| database() |
+------------+
| django     |
+------------+
1 row in set (0.00 sec)
mysql> select mid(database(),1,1);
+---------------------+
| mid(database(),1,1) |
+---------------------+
| d                   |
+---------------------+
1 row in set (0.00 sec)
mysql> select mid(database(),2,2);
+---------------------+
| mid(database(),2,2) |
+---------------------+
| ja                  |
+---------------------+
1 row in set (0.00 sec)

ord(str)

字符串第一位字符的ascii码

eg:select ord(database());

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
mysql> select database();
+------------+
| database() |
+------------+
| django     |
+------------+
1 row in set (0.00 sec)
mysql> select ord(database());
+-----------------+
| ord(database()) |
+-----------------+
|             100 |
+-----------------+
1 row in set (0.43 sec)
mysql> select ord('a');
+----------+
| ord('a') |
+----------+
|       97 |
+----------+
1 row in set (0.00 sec)
mysql> select ord(database())=100;
+---------------------+
| ord(database())=100 |
+---------------------+
|                   1 |
+---------------------+
1 row in set (0.00 sec)
mysql> select ord(database())=0;
+-------------------+
| ord(database())=0 |
+-------------------+
|                 0 |
+-------------------+
1 row in set (0.00 sec)

ascii(str)

取出最左侧的第一位字符的ascii码

eg:select ascii(database());

基本上同ord()函数.

limit m ,n 限制输出

从第m(m从0开始)位字符开始取出n个字符

eg:select username from users limit 0,1;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
mysql> select name from login_user;
+---------+
| name    |
+---------+
| HORIZON |
| lenovo  |
| tbw     |
+---------+
3 rows in set (0.38 sec)
mysql> select name from login_user limit 0,1;
+---------+
| name    |
+---------+
| HORIZON |
+---------+
1 row in set (0.00 sec)
mysql> select name from login_user limit 2,2;
+------+
| name |
+------+
| tbw  |
+------+
1 row in set (0.00 sec)
mysql> select name from login_user limit 0,2;
+---------+
| name    |
+---------+
| HORIZON |
| lenovo  |
+---------+
2 rows in set (0.00 sec)

updatexml(XML_document,XPath_string,new_value)

updatexml()函数只截取了特殊字符以后的字符,这时就需要构造特殊字符如反引号:`,波浪号:~,再将查询的结果结合这些特殊字符就会从最开始的特殊字符(包括特殊字符)开始截取,最大32位

eg:select updatexml(1,concat(‘‘,(select database()),’‘),1);

1
2
mysql> select updatexml(1,concat('~',(select database()),'~'),1);
ERROR 1105 (HY000): XPATH syntax error: '~django~'

count (*)

计算数量

eg:select count(*) from users;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
mysql> select schema_name from information_schema.schemata;
+---------------------------+
| SCHEMA_NAME               |
+---------------------------+
| mysql                     |
| information_schema        |
| performance_schema        |
| sys                       |
| django                    |
| ssh                       |
| jspmlsgswhsg5576b2b6mysql |
+---------------------------+
7 rows in set (0.11 sec)
mysql> select count(*) from information_schema.schemata;
+----------+
| count(*) |
+----------+
|        7 |
+----------+
1 row in set (0.14 sec)
0%