Early judgment

As soon as I came in, I saw that there was WAF, Hurry to try what you intercepted .

It doesn't feel right , Is there something wrong with the firewall .
Something really seems to be wrong , Hurry to check the source code ,index.php The file of is this interface , It can be seen that there is no filtering .

There are also two, such as blocked pages and pages with firewalls .

Such as the blocked interface .

Yes WAF The interface of .

The test found that most symbols were blocked .

Inject

Method 1 ： A middleman

Suddenly there are several problems , Whether it is front-end judgment , Can we use the middleman method to bypass WAF, Grab a bag and throw it in burp suite Of Repeater Test it inside , You can see that it seems to bypass WAF.

English single quotation mark injection , Pay attention to burpsuite Inside id= There must be no spaces between the following parameters , otherwise burpsuite You will think that the parameters separated by spaces are not parameters , An error request will appear .

In short, it is to find a way to make id= The following parameters are the same color （ This is green ）, This should be one of many methods .

Judge the number of rows .

Name of judgment table .

-1'union(select(1),2,group_concat(table_name)from(information_schema.tables)where(table_schema=database()))--+

Judge the listing .

-1'union(select(1),2,group_concat(column_name)from(information_schema.columns)where(table_name='users'))--+

value

-1'union(select(1),group_concat(username),group_concat(password)from(users))--+

Method 2 ：

First test to see if those characters are not blocked , To make use of .

Find out "&", Not filtered , How to use it .
You can see that the filtered characters follow & You can use it later .

Table name .

1&id=-1' union select null,null,group_concat(table_name) from information_schema.tables where table_schema=database()--+