Article directory
Boolean Blind
Task: sqli_labs_08, Boolean blind injection, get database name
1. Use single quotes and double quotes to judge the character type, and then observe whether there is an echo, and find that there is no echo, but there are other changes on the page.
2. Therefore, blind injection can be used to judge whether our blind guess is correct through Boolean.
http://localhost/sqli_labs/Less-8/?id=5' and 1=2 --+
blind guessing
Guess the database length
Use the length() function to blindly guess the length of the database, and then use the echo to judge whether the guess is correct
http://localhost/sqli_labs/Less-8/?id=5' and length(database())>8 --+
Guess the database name
猜第一个字母:
http://localhost/sqli_labs/Less-8/?id=5' and ascii(substr((select database()),1,1))=115--+
猜第二个字母:
http://localhost/sqli_labs/Less-8/?id=5' and ascii(substr((select database()),2,1))=101--+
猜第...个字母...
After guessing the length of the database, you can use the substr function to intercept the database name, and then use the ascii() function to encode the intercepted database name string, and then compare it within the range of 126 numbers (it is recommended to use the binary search method to reduce Number of comparisons), and finally use the echo to judge whether the guess is correct, and then convert the correct ASCII code into the corresponding string.