Today we will talk about mysql wide byte bypass injection. Old rules, let's first understand under what circumstances to use it.
There is a switch called magic quotation marks in mysql, and phpstudy is called magic_quotes_gpc in the php configuration. (It has the same function as addslashes(), which means that addslashes() can also use wide bytes to bypass injection):
magic quotation marks are Add a backslash before the accepted single quotes, double quotes, backslashes, and NULLs to escape.
(You can refer to this article: https://www.cnblogs.com/huyihao/p/6217801.html)
What impact does it have on our injection? For example (as shown below):
So this greatly affects our injection.
Let's do two small experiments to see how much the impact is. The first experiment is this sentence:
http://127.0.0.1/sqli-labs-master/Less-1/index.php?id=2' and 1=1--+
Let's see the difference between before and after opening.
Before opening: After
opening: 
We found that the results returned by the browser are the same twice. What is the situation? Could it be that what we said earlier is incorrect? Actually not, let's analyze it again (as shown in the figure): Do 
you feel that this thing is a bit familiar? We talked about this thing in "Network Security Rookie Learning Vulnerabilities-SQL (1)". (As shown in the figure, if it doesn’t affect you, you can go back and flip it, you can open the link to learn and learn) The 
same principle here is equivalent to executing $sql="SELECT * FROM users WHERE id='2' LIMIT 0,1";
possible Some students are a little dizzy, so you can understand it just like the previous ones. Even if written as a watermelon:
`$sql=“SELECT * FROM users WHERE id=‘2西瓜’ LIMIT 0,1”;`
As long as it is a string, it is still equal $sql=“SELECT * FROM users WHERE id=‘2’ LIMIT 0,1”
(another point, this is also a way to check whether it is an injection point: add a bunch of useless characters, and the web page echoes normally to prove that it is not an injection point.)
In fact, we want to do what we said before The echo function can be used for verification. The specific steps are as follows (echo function is used to echo, and can be simply understood as printf in C language, print in python, etc.)
1. Open the website root directory
2. Enter sqli-labs-master the Less-1 folder 
3. open the index.php, and add an echo $ sql place in the following figure; (I used EditPlus open, Notepad can be opened)
well, we re-visit this time http://127.0.0.1/sqli-labs-master/Less-1/index.php?id=2' and 1=1--+can be seen So what statement did we execute. Come, let's take a look.
Before opening: After 
opening: 
Take a look at the watermelon by the way: The
first experiment is completed, let's carry out the second experiment, the purpose of this experiment is to see its impact. (After all, the address we visited is: http://127.0.0.1/sqli-labs-master/Less-1/index.php?id=-2' union select 1,database(),3--+
before 
opening: after opening: 
now we can clearly see the impact.
Okay, I'm done talking about the principle of magic quotation marks and now I will talk about the principle and use of wide byte bypass injection.
In fact, I talked about magic quotation marks. Everyone can guess the principle of this. Simply speaking, magic quotation marks will add \, so we can find a way to make it useless. Wide byte bypass injection is to use a two-byte thing to cover the back \, which can be easily understood by looking at the picture below. (This is easy to understand, but to be more accurate, when MySQL uses GBK encoding, it will consider two characters to be a Chinese character. Of course, there is a prerequisite that the previous ASCII code must be greater than 128 to reach the range of Chinese characters.) 
We generally Use %df for wide byte note. E.g:
http://127.0.0.1/sqli-labs-master/Less-1/index.php?id=-2%df%27%20union%20select%201,database(),3--+
Note: If you use the first level for wide bytes, you need to add a sentence of mysql_query("SET NAMES gbk"); if you don't add it, it will become utf8 by default, even if you are afraid of changing the phpstudy port general settings to GBK encoding. (I have found a lot of articles on the Internet but did not mention this, I also asked other people to know) The
specific modification steps are as follows:
1. Open the website root directory
2. Enter the Less-1 file in sqli-labs-master Folder
3. Open index.php, and add a sentence mysql_query("SET NAMES gbk");
It is worth noting that magic_quotes_gpc will no longer be used when PHP is above 4, but there is still addslashes().
(Ps: I beg everyone to comment and pay attention to)