使用格式:MAKE_SET(bits,str1,str2,…)
1 返回一個設定值(含子字符串分隔字符串","字符),在設置位的相應位的字符串。str1對應於位0,str2到第1位,依此類推。在str1,str1有NULL值,…那么不添加到結果。
實驗過程
1、bits將轉為二進制,1的二進制為0000 0001,倒過來為1000 0000,所以取str1(a),打印a
select make_set("1","a","b","c");
2、bits將轉為二進制,2的二進制為0000 0010,倒過來為0100 0000,所以取str2(b),打印b
select make_set("2","a","b","c");
3、bits將轉為二進制,4的二進制為0000 0100,倒過來為0010 0000,所以取str3(c),打印c
select make_set("4","a","b","c");
3、bits將轉為二進制,3的二進制為0000 0011,倒過來為1100 0000,所以取str1(a),str2(b),打印a,b
select make_set("3","a","b","c");
以此類推
函數用處
在sql注入過程中,如果某些函數被禁用,可使用該函數進行繞過
舉例如下
在test數據庫下有test數據表,test數據表中存有flag,使用該函數進行查詢
1、查詢數據庫名
select make_set("3","&",(select database()));
2、查詢數據表
select make_set("3","&",(select group_concat(table_name) from information_schema.tables where table_schema='test'));
3、查詢字段名
select make_set("3","&",(select group_concat(column_name) from information_schema.columns where table_name='test'));
4、查詢字段數據
select make_set("3","&",(select flag from test.test));
