13th Pass:
This is also a landing port, and on the same as said, first use ' "to try, let the program error and then judge the SQL statements in the background
You can see that the background SQL is probably where name = (' $name ') ... Such a
Post information input uname=1 ') or ' 1 ' = ' 1 ' #&passwd=1&submit=submit can enter successfully
However, there is no account password and so on, so you cannot use the previous level of the linked table query. Try using the on-off error query to try, enter
Uname=1&passwd=1 ') and Extractvalue (1,concat (0x7e, (select Group_concat (schema_name) from Information_ Schema.schemata limit 0,1)) #&submit=submit
Can successfully error out the database name! But this is not the case, you can use the Group_concat function without using the Limit line query
In fact, this is the main inspection is double query injection (floor of the error query), but here can use Extractvalue error, then he I will not continue.
14th Pass:
This is similar to the 13th level, but will ' become ' only, as to how it is judged or used '.
Here also added, the login box where there are many times there is no error message, then how to judge the background of the SQL patchwork way? Now my approach is to use these like 1 ' or ' 1 ' = ' 1 ' #; 1 "or" 1 "=" 1 "#; 1 ') or ' 1 ' = ' 1 ' #; 1 ") or" 1 "=" 1 "# Wait for a dictionary and then fuzz.
15th Pass:
Well, the above just said that there is no error in the case of what should be done, this close met! (To tell you the truth, I did not look at the content when I wrote the above paragraph)
I just saw this question when or directly input ' ", the results found no error message, this time can not be directly judged by the error behind the stitching method.
The way to use the above fuzz can be judged, but here I will directly see the implementation of the backstage
Found backstage is a direct use of the single-cited symbol, here will not login after the successful account password, so you can only use the blind note.
I remember in the 11th before I tried the blind, then did not succeed, the situation here is actually the same as the 11th, the background of the Internet to find out, the blinds should be
or (ascii(substr((select database()) ,1,1))) >64
而不能是 or ascii(substr((select database()) ,1,1)) >64
Post input uname=1 ' or (ASCII (substr (User ()))) >64 #&passwd=1&submit=submit can log on successfully
Enter Uname=1 ' or (ASCII (substr (User ()))) >200 #&passwd=1&submit=submit
Landing failed, the following will not continue, using the dichotomy of a character of a character can be judged.
Sqli-labs (vii)