order by的一個利用方式是使用
rand(true)
rand(false)
返回排序不同進行盲注，
rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))

order by rand()是隨機排序返回，經過測試發現 select rand(true)  結果是0.40540353712197724

select rand(false); 結果是0.15522042769493574  疑問就是，這裡order by rand(true)的含義是啥，根據什麼標準進行排序？

會為每一條記錄都生成一個隨機值，然後排序
Order by Rand() Method

SELECT * FROM myTable ORDER BY RAND() LIMIT 1;

This method works by generating a random value for each row of the table, sorting the table according to these random values, and then returning one row.

參考
https://www.warpconduit.net/2011/03/23/selecting-a-random-record-using-mysql-benchmark-results/

@小餅仔 感謝，知道了rand()隨機排序的原理，不過order by rand(true) 是啥意思呢

@D＆G
rand(N)裡面的N是一個用來生產隨機數的seed value，型別為常量整數。
至於rand(true)，你執行下 select true, false ; 就知道了，分別為1 和 0
參考
http://dev.mysql.com/doc/refman/5.7/en/mathematical-functions.html#function_rand
RAND(), RAND(N)

Returns a random floating-point value v in the range 0 <= v < 1.0. If a constant integer argument N is specified, it is used as the seed value, which produces a repeatable sequence of column values. In the following example, note that the sequences of values produced by RAND(3) is the same both places where it occurs.

感謝大神~懂了。true 和false 自動轉換成整型，rand(1)和rand(0) 有固定種子，兩種排序不一樣，作為標準盲注~~~