BlankのBlog

Sql盲注常用函数

字数:269 Topic:web Tag:2018-03

在sql注入过程中,如果在没有回显的情况下,我们就会用到盲注,这时候就需要一个字符一个字符的去猜我们需要的数据,过程中就需要用到截取字符串的函数。

mid()

mid()函数语法

SELECT MID(column_name,start[,length]) FROM table_name;

参数解析
column_name    必须,要截取的字段名 
start    必须,开始截取的地方,默认为1     
length    可选,截取的长度,不选即为保留余下所有长度

例:

mysql> select mid('123456',1,1);
+-------------------+
| mid('123456',1,1) |
+-------------------+
| 1                 |
+-------------------+
1 row in set (0.00 sec)

mysql> select mid('123456',1);
+-----------------+
| mid('123456',1) |
+-----------------+
| 123456          |
+-----------------+
1 row in set (0.00 sec)

mysql> select mid('123456',2,3);
+-------------------+
| mid('123456',2,3) |
+-------------------+
| 234               |
+-------------------+
1 row in set (0.00 sec)

判断当前数据库的第一个字符的ascii是否大于a

mysql> select mid(database(),1,1)>'a';
+-------------------------+
| mid(database(),1,1)>'a' |
+-------------------------+
|                       1 |
+-------------------------+
1 row in set (0.00 sec)

substr()

参数及作用跟mid()一样,不再赘述

mysql> select substr('123456',2,3);
+----------------------+
| substr('123456',2,3) |
+----------------------+
| 234                  |
+----------------------+
1 row in set (0.00 sec)

left()

left函数能得到字符串从左到右指定长度的字符串

函数语法

left(string,n)   
string为要截取的字符串
n为长度


mysql> select left('123456',3);
+------------------+
| left('123456',3) |
+------------------+
| 123              |
+------------------+
1 row in set (0.00 sec)
mysql> select left(database(),1)>'s';
+------------------------+
| left(database(),1)>'s' |
+------------------------+
|                      1 |
+------------------------+
1 row in set (0.00 sec)

ord()

ord函数返回字符串的第一个字符的ascii值

mysql> select ord(database());
+-----------------+
| ord(database()) |
+-----------------+
|             116 |
+-----------------+
1 row in set (2.28 sec)

REGEXP 正则

使用范例

mysql> select mid(database(),1,1) REGEXP '^[a-z]'>0;
+---------------------------------------+
| mid(database(),1,1) REGEXP '^[a-z]'>0 |
+---------------------------------------+
|                                     1 |
+---------------------------------------+
1 row in set (0.00 sec)

mysql> select mid(database(),1,1) REGEXP '^t'>0;
+-----------------------------------+
| mid(database(),1,1) REGEXP '^t'>0 |
+-----------------------------------+
|                                 1 |
+-----------------------------------+
1 row in set (0.00 sec)

mysql的like关键字

“_“是代表一个模糊字符, “%“是代表多个字符 如果不加这两个符号,那么like 和=就是一样的

mysql> select database() like 'te%';
+-----------------------+
| database() like 'te%' |
+-----------------------+
|                     1 |
+-----------------------+
1 row in set (0.00 sec)

mysql> select database() like 'te_';
+-----------------------+
| database() like 'te_' |
+-----------------------+
|                     0 |
+-----------------------+
1 row in set (0.00 sec)
千帆过尽,勿忘初心 UP