Use regular expressions to bypass

First, prepare the shooting range environment .

Open Xiaopi Software , Turn on and configure apache Environment and database , And modify the root directory .

Open the range , Login name Dumb

Query the range

use first order by To view columns
Use order by The reason to view the columns is that in the joint query , If the columns are inconsistent , It's a mistake .
If you enter too many lists for the first time, an error will be reported , So try subtracting one by one .

from order by You can know that this watch has 3 Column , Then we can check 2,3 Column ; You can see it , The second column stores the login password , The third column is the password .

Enter... In the browser ：localhost/Less-1/?id=1 'union select 1,2,3–+

Now that you know the number of columns of users and passwords , Then we can also find user;

Enter... In the browser ：localhost/Less-1/?id=1 'union select 1,(select user()),3–+

But if you want to continue writing, you can't , Because when editing regular expressions in websites, you set select\b[\s\S]*\bfrom, With select start , And when you query, you must follow a from Dereference table .

When it matches here , With select start , It's a match select after ,\b What matches is the boundary ,\s\S Using the two together can be equivalent to matching all characters ,“*” matching 0 Times or more ; Such an expression is filtering injection , Let you not inject .

Add the following statement to the configuration file , Then enter the address in the browser ：localhost/Less-1/?id=1 'union select 1,(select group_cocat(username,0x3a,password)from users),3–+

The result of the visit after the change is ：

Start bypass operation

Due to the above problems , If we want to bypass , There will be no boundary , That's change from Value （ But make sure it's a word , And it needs to be extended , You can't report an error ）
The only benefit is mysql It supports scientific counting , To set up , If you add scientific counting to query

select username,1e1from users;

because 1e1 It's scientific counting ,mysql Identify and list a separate column , and “1e1” You can talk to from To use together , The system will think that these are two commands , So there is no error in this way , It also bypasses the regular . But it has not been completely solved .
When I enter this to bypass , He hinted “Operand should contain 1 column(s)” The column you queried is out of range .

Because when we checked earlier, there were three columns , Now a scientific counting method is added to bypass , But there is also a corresponding additional column . So you can write in another way , That is to change a grammar to 4 Column becomes 3 Column
** localhost/Less-1/?id=1 'union select 1,group_cocat(username,0x3a,password)from users)–+**
Write this way to reduce the output of our column , In this case, the second column shows the user name and password , The third column is the added scientific counting .