Mozi SQL injection -MYSQL database combat environment
Practice Step
1, the injection point decision
Enter single quotation marks, an error message:
Input and 1 = 1 Back to Normal:
Input and 1 = 2 to return to normal
Enter -1, returns the exception:
2, sqlmap inquiry into the information
query the database version information (in fact, this step can be skipped with sqlmap this important step in the manual injection)
enter the command:
Search result: that database version, etc.
3, query the database name
enter the command:
Search result: the query to the database there are five database
4, we need to query the user name and password for the database table in which
enter the command: Here we are now, according to experience judgment stormgroup table has the information we need, not sure if you can put each table query again
5, we need to query field in which the table
enter the command:
Search result: There are three fields in the member table, we need to just name, password field.
6, query field contents
enter the command: We only blast the username and password fields, with the other as required. We added a -batch option, on behalf of the Executive in accordance with the default option. (Save us a lot of input, etc. yes no.)
Search result: There are two passwords do not know why, we were to get a password Baidu query MD5, log on separately.
7, log on to take key
Boolean Blinds: sql injection is carried out when the page is no return value.