Injection is a blind, refers to the value returned by the database without knowledge of the case where the content data to guess, embodiment SQL injection. Blinds are generally divided into Boolean and time-based blind blinds and blinds error. The main explanation is based on Boolean blinds.
Length () function returns the length of a string
Substr () String taken
Ascii () returns the character ascii code
sleep (n): the program is suspended for some time n n seconds
if (expr1, expr2, expr3): If the first judge sentences a statement on the implementation of the second statement is correct if the third statement execution error
Of course, if the above function is disabled, the corresponding function is also replaced. Can Baidu
Boolean
Page returns only True and False are two types of pages. Using the return different pages, one by one guess data
http://127.0.0.1/less-8?id=1'and (length(database()))>10 --+
Current Database database () is greater than 10, page returns true, otherwise FALSE page
Error type: payload structure so that information via error messages echoing out of one type (the other being very understanding) is the first reported number of fields, re-use back-end database error mechanism echo (with the average error difference is that the general error after the burst injection is the number of fields, on this basis, with the right query, the results echoed to the page; the latter is in use can trigger a burst error mechanisms inject SQL statements on the basis of the number of fields on)
Column as is typical payload:
Select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a;
count () Count
concat () connected characters
floor () duplicate data, returns two values 0
group by group
RAND (0 ) avoid errors caused by duplicate data
Time Type
Sleeping time by page judgment
By sleep () function testing by if () and sleep () guess individually combined data
http://127.0.0.1/less-9?id=1' and (if(ascii(substr(database(),1,1))>100,sleep(10),sleep(4)) --+