The time to learn to type blind, or use sqli-labs environment.
First, look at the time-of-blinds need to use:
1, if () function if (a, b, c)
If a true executing b, or perform c. As shown in FIG, 1 = 1 is true since it executes the second parameter 2;
When the result is 11 = 1 is false, the implementation of the third parameter 3;
2, sleep () sleep function can make this statement runs N seconds
We can see that this code is executed 5 seconds
The next query 1 = 1 if true, then perform 1, is false is executed 5 seconds;
1 = 1 is true because it is a query is executed with a time of 0 seconds, almost imperceptible delay; 1 = 2, the third field is performed results, query 5 seconds, can feel a significant delay.
Next, using the sleep () function to determine whether the first letter of the current database sqli-labs returns 1 (due echoed the same page so the page will be prompted You are in ......) is a, is true, false then execute the query 5 seconds
http://localhost:8088/sqli-labs/Less-5/?id=1' and if(substr((select database()),1,1)='a',1,sleep(5)) --+
Page feel significantly delayed 5 seconds after the page appears to be empty; keep trying until the query page is displayed without delay You are in ......, to find the right character s,
Later step are relatively similar, it will not be repeated.