Summary of MySQL injection bypass filtering techniques, mysql injection bypass Filtering
First, let's look at the GIF operation:
Case 1: space is filtered
Use parentheses () instead of spaces. Any statement that can calculate the result can be surrounded by parentheses;
select * from(users)where id=1;
Use comments/**/to bypass spaces;
select * from/**/users/**/where id=1;
Case 2: restrict the combination of from and certain characters
Add a vertex after from. That is, use from. To replace from;
select * from. users where id=1;
Then you can directly view the GIF:
To put it bluntly, you just need'Field name'ReplaceHex;
This will be associated with the use of SQL Injectionload_file
Orinto outfile
Frequently Used hex to encode a sentence and then import it;
Here, we do not need to use single or double quotation marks (magic_quotes_gpc()
I will not mention it );
But at that time, I only looked at the results. Today I found this problem when I sorted out the previous materials, but I was dizzy and did not know why it was so encoded. The actual operation is as follows:
You can clearly see the error,select
The first 'single quote 'behind it, and in a Trojan horsecmd
The previous single quotes are closed, leading to an error in the subsequent statements;
Then converthex
, Remove the quotation marks and find that the data can be written;
Here, my host does not give him the permission and will prompt that he cannot write it. I still need to check the situation;
Summary
The above is all about this article. I hope this article will help you in your study or work. If you have any questions, please leave a message.