Sqli-labs (vii)

13th Pass:

This is also a landing port, and on the same as said, first use ' "to try, let the program error and then judge the SQL statements in the background

You can see that the background SQL is probably where name = (' $name ') ... Such a

Post information input uname=1 ') or ' 1 ' = ' 1 ' #&passwd=1&submit=submit can enter successfully

However, there is no account password and so on, so you cannot use the previous level of the linked table query. Try using the on-off error query to try, enter

Uname=1&passwd=1 ') and Extractvalue (1,concat (0x7e, (select Group_concat (schema_name) from Information_ Schema.schemata limit 0,1)) #&submit=submit

Can successfully error out the database name! But this is not the case, you can use the Group_concat function without using the Limit line query

In fact, this is the main inspection is double query injection (floor of the error query), but here can use Extractvalue error, then he I will not continue.

14th Pass:

This is similar to the 13th level, but will ' become ' only, as to how it is judged or used '.

Here also added, the login box where there are many times there is no error message, then how to judge the background of the SQL patchwork way?          Now my approach is to use these like 1 ' or ' 1 ' = ' 1 ' #;        1 "or" 1 "=" 1 "#; 1 ') or ' 1 ' = ' 1 ' #; 1 ") or" 1 "=" 1 "# Wait for a dictionary and then fuzz.

15th Pass:

Well, the above just said that there is no error in the case of what should be done, this close met! (To tell you the truth, I did not look at the content when I wrote the above paragraph)

I just saw this question when or directly input ' ", the results found no error message, this time can not be directly judged by the error behind the stitching method.

The way to use the above fuzz can be judged, but here I will directly see the implementation of the backstage

Found backstage is a direct use of the single-cited symbol, here will not login after the successful account password, so you can only use the blind note.

I remember in the 11th before I tried the blind, then did not succeed, the situation here is actually the same as the 11th, the background of the Internet to find out, the blinds should be

or (ascii(substr((select database()) ,1,1))) >64
而不能是   or ascii(substr((select database()) ,1,1)) >64

Post input uname=1 ' or (ASCII (substr (User ()))) >64 #&passwd=1&submit=submit can log on successfully

Enter Uname=1 ' or (ASCII (substr (User ()))) >200 #&passwd=1&submit=submit

Landing failed, the following will not continue, using the dichotomy of a character of a character can be judged.

Sqli-labs (vii)