The shooting range address used is Chapter 2 of fengshentai ： Encounter obstacles ！ Bypass WAF Filter ！【 Supporting class hours ：SQL Injection attack principle Practical drill 】
Experimental environment ：https://hack.zkaq.cn/battle

http://kypt8004.ia.aqlab.cn/shownews.asp?id=171

Method 1

Delete id Back grab

First step ： Determine whether the target website has sql Inject holes .（ The core of blind Injection ）

and 1=1 ->  The page has content 
and 1=2  ->  The page has no content 
	==>   The website has sql Inject a hole .

sql Inject holes ： We're on a website , Enter the database statement , If this website performs , Then it shows that there is a database injection vulnerability in this website .
–》 Backstepping .
Suppose this website has a database injection vulnerability , So the database we entered , This website will execute .

notes ： When using cookie In the process of parameter transmission , The content of parameter transfer needs to be URL Coded .

notes ： Before that, you should use and 1=1 First check whether the page returns to normal , Sometimes an error is reported because the statement is filtered , If and1=1 Return to page normal , however and 1=2 Error returning to page , Then it means that there is SQL Inject .

The second step ： Determine the number of columns in the table of the website

order by 1 -->  The page has content , Explain that there are... In the table of the website 1 Column .
order by 2 -->  The page has content , Explain that there are... In the table of the website 2 Column .
order by 3 -->  The page has no content , Explain that there is no... In the table of the website 3 Column .
	==>  Only 2 Column .

The third step ： Judge the echo point （ The core of error display ）

and 1=2 union select 1,2

notes : Because the website uses access database , The grammar is very regular , So add from Table name , If it is MySQL You don't have to .
error correction ： “ So I know the name of the library is admin” Should be “ So I know the table name is admin”



notes ： Echo points are not always displayed on the web page , At this time, you need to go to the web page source code to have a look

Step four ： Query relevant data

database() #  function , effect ： Check the name of the library .
and 1=2 union select 1,database()  

take b9a2a2b5dffb918c Conduct MD5 decode , obtain welcome

Method 2
The steps are the same as method 1 , But method two doesn't use burp Tools ,cookie Values do not need to be url code
Just to show you
document.cookie = “id=” + escape(“171 and 1=2 union select 1,2,3,4,5,6,7,8,9,10 from admin”) # Set up cookie The way , This javascript Code .
escape() # function , effect ：url code .

Last , Thank you, Mr. Jess, for your open class !