SQLMAP Part 1

in #cn6 years ago

SQLMAP Part 1

放上大佬写的一个流程图

em .... 这篇文章 只写自己注入的一个方式 error-based injection

error-based也有叫做DOUBLE QUERY INJECTION,即双查询注入

Error-based tests - WHERE or HAVING clause

payload 如下:

AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))

其中

SELECT (ELT([RANDNUM]=[RANDNUM],1))

会返回NULL 如下:

SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x')

ELT() 函数使用方法如下: 这张图 能很好地解释了

CONCAT() 函数 如下:

mysql> SELECT CONCAT(’My’, ‘S’, ‘QL’);

-> ‘MySQL’

if() 函数用法如下:

if(expr1,expr2,expr3) 
如果 expr1 是TRUE ,则if()的返回值为expr2; 否则返回值则为 expr3。
if() 的返回值为数字值或字符串值,具体情况视其所在语境而定。

至于为什么会报错 你只要在mysql中 执行如下命令 就可以就明白了:

select 3 * 8446744073709551610;

mysql> select 3 * 8446744073709551610;
ERROR 1690 (22003): BIGINT value is out of range in '(3 * 8446744073709551610)'
mysql>
#cn-reader #blog #cn-curation #cn-malaysia
6 years ago in #cn by
$0.06
  • Past Payouts $0.06, 0.00 TRX
  • - Author $0.05, 0.00 TRX
  • - Curators $0.01, 0.00 TRX
5 votes
Reply 3
Sort:  
  • Trending
    • [-]
     6 years ago 

    我们都是脚本小子

    $0.04
    • Past Payouts $0.04, 0.00 TRX
    • - Author $0.04, 0.00 TRX
    • - Curators $0.00, 0.00 TRX
    2 votes
    Reply
    [-]
     6 years ago 

    Hi ~ I'm a robot of lynnhua.I just upvoted your post!
    Please come visit me here: https://steemit.com/@lynnhua
    Thanks so much~!!

    $0.00
      Reply
      [-]
       6 years ago 

      thanks

      $0.05
      • Past Payouts $0.05, 0.00 TRX
      • - Author $0.04, 0.00 TRX
      • - Curators $0.01, 0.00 TRX
      2 votes
      Reply

      Coin Marketplace

      STEEM 0.30
      TRX 0.11
      JST 0.033
      BTC 64243.42
      ETH 3152.93
      USDT 1.00
      SBD 4.28